Skip to main content
The REST API requires a Pro or Enterprise plan.
The Mintlify REST (Representational State Transfer) API enables you to programmatically interact with your documentation, trigger updates, embed AI-powered chat experiences, and export analytics data.

Endpoints

Common use cases

Authentication

Generate API keys on the API keys page in your dashboard. Each API key belongs to an organization—you can use keys across multiple deployments within the same organization. You can create up to 10 API keys per hour per organization. Mintlify uses two types of API keys, each scoped to a different set of endpoints:
Key typePrefixUse for
Admin API keymint_Updates, agent jobs, and analytics exports. Server-side only.
Assistant API keymint_dsc_Assistant endpoints (create message, search, get page content). Proxy in production.

Admin API key

Use the admin API key for deployment, triggering the agent, and analytics endpoints. Admin API keys begin with the mint_ prefix. The admin API key is a server-side secret. Do not expose it in client-side code.

Assistant API key

Do not directly embed the assistant API key in client-side code. Any visitor who extracts the key can send requests on your behalf, consuming credits and potentially triggering overage charges.For production deployments, proxy assistant API requests through your own backend and store the key as a server-side environment variable. Routing requests through a proxy also lets you add rate limiting, authentication, and bot protection to prevent abuse.
Use the assistant API key for the assistant endpoints. Assistant API keys begin with the mint_dsc_ prefix.
Calls using the assistant API token can incur costs: either using your assistant credits or incurring overages.

Restrict keys by IP address

You can optionally restrict an API key to a list of allowed IP addresses or CIDR ranges. When a key has an allowlist, requests from any other IP address are rejected with a 403 response. Both admin and assistant API keys support allowlists. Set the allowlist when you create the key on the API keys page in your dashboard. The allowlist is fixed for the lifetime of the key — to change it, delete the key and create a new one. If you don’t set an allowlist, the key accepts requests from any IP address. Allowlist entries support:
  • IPv4 and IPv6 addresses, for example 203.0.113.5 or 2001:db8::1.
  • CIDR ranges, for example 198.51.100.0/24 or 2001:db8::/48.
Catch-all entries like 0.0.0.0/0 and ::/0 are not allowed. Use IP allowlists when your API key is called from a stable set of egress IPs — for example, a CI/CD runner, a static NAT gateway, or your backend server. Avoid allowlists for keys used from developer laptops or other environments with changing IPs.

Restrict admin keys by scope

You can optionally restrict an admin API key to read or write scopes. Scopes apply only to admin API keys; assistant API keys are unaffected. Set scopes when you create the key on the API keys page in your dashboard. Scopes are fixed for the lifetime of the key — to change them, delete the key and create a new one. If you don’t set any scopes, the key can call every admin endpoint (existing keys keep working). Mintlify derives the required scope from the HTTP method of the request:
HTTP methodRequired scope
GET, HEADread
All otherswrite
A key with write also satisfies read, so ["read", "write"] and ["write"] both allow every endpoint. Requests that require a scope the key does not have are rejected with a 403 response. Only read and write are accepted. Any other value returns a 400 response at key creation.

Set an expiration date

You can optionally set an expiration date on any API key at creation. After the expiration timestamp passes, requests using the key are rejected. Both admin and assistant API keys support expiration. Set the expiration on the API keys page in your dashboard. The expiration is fixed for the lifetime of the key — to change it, delete the key and create a new one. If you don’t set an expiration, the key never expires. The expiration must be a future ISO 8601 timestamp. Past or invalid timestamps return a 400 response at key creation. The expiration is returned as expiresAt when you list keys, or null for keys with no expiration. Use expirations for short-lived credentials such as CI/CD tokens, external contractors, or one-off scripts. Rotate long-lived keys by creating a replacement, updating your integrations, and deleting the old key.