Authentication

Every request to the Mereon API and MCP server is authenticated with a personal access token (PAT). One token, sent as a header. There is no OAuth flow or app registration to set up.

Creating a token

Open Profile → API Tokens in the Mereon app and create a token. The full value is shown once, at creation, and never again. Copy it then.

A token looks like this:

mrn_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Send it on every request as a bearer token:

curl https://api.mereon.ai/v1/me \
  -H "Authorization: Bearer mrn_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

A token sees what you see

A token is not a separate identity with its own permissions. It resolves to the person who created it, and every request is evaluated against that person’s current access in Mereon, live.

This has a few practical consequences:

• If your access to some content is removed, your tokens lose access to it on the very next request. Nothing is cached.
• A token never grants more than the person already has. It cannot see content they cannot see.
• Tokens are read-only. They carry the read scope and there are no endpoints that change your data.

Tokens are pinned to one organization

If you belong to more than one organization, a token always resolves to the single organization it was created in, even if you later switch your active organization in the app. To use the API for another organization, create a separate token while that organization is active.

Expiry

Tokens expire after 90 days by default. The expiry is set when the token is created and does not change afterward, so rotating a token means creating a new one and deleting the old.

Your organization’s admins can change the default expiry policy, including allowing non-expiring tokens. The policy applies to newly created tokens; existing tokens keep the expiry they were issued with.

What your admins control

Organization admins have organization-wide controls over API access:

• Turn the API on or off for the whole organization. When it is off, no one can create or use tokens.
• Set the expiry policy that applies to new tokens.
• List and revoke any member’s tokens.
• The organization’s subscription must include the public API feature. Plan dependent If you cannot see the API Tokens screen, ask your admin whether your plan includes it.

Keeping tokens safe

Caution

A personal access token bypasses multi-factor authentication at request time, because it is a long-lived credential. Mitigate the risk:

• Store tokens in a secrets manager or environment variable, never in committed code or shared chat.
• Create one token per tool or machine, so you can revoke a single one without disrupting the rest.
• Revoke tokens you no longer use from Profile → API Tokens.

Auditing

Every successful request is recorded against the token, including the endpoint or MCP tool that was called. An admin can review a token’s history to answer questions like “what did this tool read last week?” Denied and failed requests are not recorded.