Authentication

All Recuro API endpoints require authentication via a Bearer token.

Getting your API token

1. Log in to the Recuro dashboard
2. Go to Settings > API
3. Click Generate Token (or Regenerate to replace an existing one)
4. Copy the token — it is shown only once

Caution

If you regenerate your token, the previous token is immediately invalidated. Update all integrations using the old token before regenerating.

Using the token

Pass your token in the Authorization header with every API request:

curl -X POST https://app.recurohq.com/api/crons \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ ... }'

How authentication works

1. Recuro hashes your token using SHA-256
2. The hash is matched against stored token hashes in the database
3. If a match is found, the request runs in the context of the associated user’s current team
4. All resources created belong to that team

The same token works for the REST API and the MCP server.

Error responses

Missing token:

{ "error": "Missing authorization token" }

Status: 401 Unauthorized

Invalid token:

{ "error": "Invalid webhook token" }

Status: 401 Unauthorized

Team scope

Your API token operates in the context of your current team. If you belong to multiple teams, switch teams in the dashboard before making API calls to target the correct team.

All API calls create and access resources within that team only. Resources from other teams are never accessible.

Security recommendations

• Store your API token in environment variables, not in code
• Rotate your token periodically from Settings > API
• Use separate tokens (and separate teams) for staging and production
• Never expose your token in client-side code or public repositories

Next steps

• POST /api/crons — Create a cron job
• POST /api/jobs — Schedule a one-off job
• Webhook Signing — Verify outbound request authenticity