Developer Platform
Manage scoped API access, OAuth applications, generated SDKs, OpenAPI, and remote MCP from one public contract.
Eigenn's developer platform supports server-to-server REST integrations, OAuth applications, generated SDKs, and remote MCP clients. Settings → Developer manages credentials and applications; the public API reference defines what those credentials can call.
Choose an Integration Surface
| Surface | Best for | Access model |
|---|---|---|
| REST API | Services, workers, internal tools, and precise resource operations | API key or OAuth bearer token |
| Generated SDK | Typed access from TypeScript, Python, Go, or Rust | Same bearer token and scopes as REST |
| OAuth application | Third-party or multi-user apps that need consent | Authorization code or client credentials |
| MCP | AI clients that need scoped finance tools | OAuth discovery or bearer token |
| App Marketplace | Provider-specific accounting, payment, inbox, automation, and AI connections | App-specific OAuth, key, webhook, or MCP setup |
All surfaces remain team-scoped. A product feature is not automatically a public developer operation.
Developer Access
Open Settings → Developer to manage:
- API keys
- OAuth applications
- redirect URLs
- OAuth scopes
- client credentials and rotation
- application approval metadata
Workspace owners create, rotate, and revoke team API keys. Plan limits apply.
API Keys
When creating a key, choose:
- All for every public read and write scope
- Read Only for every readable public scope
- Restricted for resource-specific access
Restricted keys are the safest default. Choose a distinct key for each service and environment.
The full secret is shown once. Eigenn stores and displays key metadata, not a recoverable plaintext secret. If a secret is lost, create a replacement.
Every API key is bound to:
- the creating user
- the selected team
- its granted scopes
Authentication also confirms that the user still has access to that team.
OAuth Applications
OAuth applications support:
- authorization code
- refresh token
- client credentials
- S256 PKCE for public clients
Registered redirect URLs and scopes are validated during consent. Public clients must supply PKCE. The authorization server advertises none and client_secret_post token authentication methods.
External marketplace applications appear to users only after approval and while active. Revoking access removes the user's Eigenn-issued tokens for that application.
Public API Contract
The public API is OpenAPI 3.1 and versioned as 1.0.0.
| Environment | Base URL |
|---|---|
| Production | https://api.eigenn.io/v1 |
| Sandbox | https://api-staging.eigenn.io/v1 |
Use the API Reference for the interactive explorer or retrieve the contract from https://api.eigenn.io/v1/openapi.
The contract documents:
- required scopes
- request and response schemas
- resource-specific filters
- cursor pagination
- standard error responses
- optional idempotency headers for authenticated writes
SDKs
Generated clients are available for TypeScript, Python, Go, and Rust. They follow the same OpenAPI v1 operations and do not add endpoints that the contract does not contain.
This matters for two legacy assumptions:
- no public workflow CRUD or execution endpoints are present
- the SDK Webhooks group represents provider callbacks, not a general outbound subscription service
Remote MCP
The remote endpoint is:
OAuth-capable MCP clients can use the published discovery metadata. Tools are filtered by granted scopes. The server can expose selected writes when the credential has write scopes; it does not add a universal human-approval gate.
Operating Controls
- Keep API keys in a server-side secret manager.
- Grant read access before write access.
- Use Idempotency-Key for retryable authenticated writes.
- Log request IDs when available.
- Respect Retry-After and rate-limit headers.
- Use sandbox for representative contract tests.
- Revoke credentials when an owner, service, or vendor no longer needs access.
- Recheck OAuth redirect URLs and scopes before approval.
Current Public Limits
- Public API v1 does not expose product workflow management.
- Public API v1 does not expose general outbound webhook subscription management.
- Marketplace event labels are not a substitute for an OpenAPI event schema.
- A sandbox response does not prove production data or provider state.
- The public API does not guarantee a total count on cursor-paginated resources.
Related Pages
Customers
Use the customer ledger to review relationship health, invoice exposure, revenue concentration, and follow-up work.
Document Processing and Extraction
Understand how Vault files move from upload to searchable context, structured financial fields, human verification, and transaction suggestions.