Authentication

Or from the terminal:

curl -X POST https://www.stipple.sh/v1/keys \
  -H "Content-Type: application/json" \
  -d '{"email": "you@company.com"}'

# → { "api_key": "stp_...", "key_id": "key_...", "daily_limit": 50 }

Send the key on every request — REST and MCP alike — as a Bearer token:

curl -X POST https://www.stipple.sh/v1/verify-references \
  -H "Authorization: Bearer stp_..." \
  -H "Content-Type: application/json" \
  -d '{"url": "https://example.com/report.pdf"}'

A presented-but-invalid key returns 401 — it never silently falls back to the anonymous quota, so typos and revocations surface immediately.

Usage is metered by the same counters that enforce the quota, so what you read is exactly what's enforced:

curl https://www.stipple.sh/v1/usage -H "Authorization: Bearer stp_..."

# → {
#     "key_id": "key_…",
#     "daily_limit": 50,
#     "today": { "used": 12, "remaining": 38 },
#     "days": [ { "day": "20260612", "count": 12 }, ... ]
#   }

MCP clients that support custom headers can send the same Authorization header on the server connection — the tools then meter against your key instead of your egress IP. See MCP integration.

• Keys are free while the service is in preview; metering exists so future paid tiers have honest history.
• Need a higher limit for a real integration? Email us — limits are per key and adjustable.
• To revoke a key today, email us; self-serve revocation ships with the dashboard.