Every request to the API requires a Bearer token in theDocumentation Index
Fetch the complete documentation index at: https://docs.letmepost.dev/llms.txt
Use this file to discover all available pages before exploring further.
Authorization header. Keys are prefixed by environment so a lmp_test_… key cannot accidentally write to production data.
Headers
Key shape
| Prefix | Environment | Use |
|---|---|---|
lmp_live_… | production | hits api.letmepost.dev |
lmp_test_… | sandbox | hits sandbox accounts; rejects live writes |
Scoping
A key carries two scopes:- Organization — every key is bound to a single organization. There is no cross-org key.
- Profile (optional) — a key may be pinned to a single profile within the org. Cross-profile access by a profile-scoped key returns
404 not_found, never403, so the key cannot probe for the existence of other profiles.
Read vs write
Read endpoints (GET /v1/posts, GET /v1/posts/:id, GET /v1/media, GET /v1/accounts) accept either a Bearer key or a dashboard session cookie. Writes accept Bearer keys only.
Rotation
There is no automatic key rotation. To rotate:- Mint a new key in the dashboard.
- Switch your application secret to the new key.
- Revoke the old key.
unauthenticated.
OAuth tokens are different
TheAuthorization: Bearer … header authenticates you to letmepost. The OAuth tokens we hold for upstream platforms (Bluesky session, LinkedIn access token, etc.) are managed entirely server-side, AES-256-GCM encrypted at rest, and refreshed on the platform’s schedule. You never see them.
See accounts for the connection lifecycle.
Errors
| code | when |
|---|---|
unauthenticated | Header missing, malformed, key revoked, or key prefix doesn’t match the environment. |
unauthorized | Authenticated, but the key isn’t allowed to perform this action. |
not_found | Often a profile-scope mismatch — see scoping above. |
rate_limited | Per-key rate limit exhausted. |