Skip to main content
Anyreach has two kinds of bearer credential for the API. Organization API keys (ak_) belong to a single organization and carry it implicitly. Personal access tokens (pat_) belong to a user, work across every organization that user is a member of, and require you to name the target organization on each request. Both are shown in full exactly once, at creation. Copy the secret then — it cannot be recovered afterward.

Which credential to use

Use an org API key (ak_) whenUse a personal access token (pat_) when
The credential acts for one fixed organization (a server, a CI job, a service integration).You work across multiple organizations and want one credential for all of them.
You want the organization baked in, with no extra header.The credential is tied to you as a user and follows your access.

Organization API keys

Org API keys are created and managed on the API Keys page in your organization. Each key prints once as ak_<id>.<secret>; after that the table shows only the truncated key id and the key cannot be revealed again.
1

Open the API Keys page

Go to API Keys in the organization you want the key scoped to. The key inherits that organization permanently.
2

Create a key

Click Create API Key, enter a Name, and choose an Expiration. Presets range from 1 day to 365 days, plus Never and Custom Date.
3

Copy the secret

The dialog shows the full secret once. Use Copy to grab it, store it in a secret manager, then click Done. The secret is not shown again.
Under the hood, creation calls POST /admin/organization-pats with a name and an optional expires_at:
curl https://api.anyreach.ai/admin/organization-pats \
  -H "Authorization: Bearer $ANYREACH_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production server",
    "expires_at": 1767225600000
  }'
FieldTypeDefaultDescription
namestringrequiredLabel for the key. Must not be empty.
expires_atintegernullExpiry as an epoch timestamp. Omit or set null for a key that never expires.
The response returns the full secret in pat_key exactly once. Subsequent list calls return only key_id (a truncated prefix), name, expires_at, and created_at.
The full secret is returned only in the create response. If you lose it, delete the key and create a new one — there is no way to recover the original.
An org API key carries its organization, so you never send the X-Anyreach-Org header with it:
curl https://api.anyreach.ai/core/agents \
  -H "Authorization: Bearer ak_..."

Personal access tokens

Personal access tokens belong to you as a user and work across every organization you can access. Create and manage them under Account → Tokens. A personal access token does not carry an organization. You must name the target organization on each request with the X-Anyreach-Org header:
curl https://api.anyreach.ai/core/agents \
  -H "Authorization: Bearer pat_..." \
  -H "X-Anyreach-Org: $ANYREACH_ORG_ID"
Personal access tokens support a few operations org API keys do not:
OperationOrg API keyPersonal access token
Rename after creationNoYes
Works across all your organizationsNo (single org)Yes
Requires X-Anyreach-Org per requestNoYes
The PAT secret (the pat_... value) is returned only when the token is created. Renaming a token does not reveal the secret again.

Next steps

Authentication

The full token flow, the Authorization header, and the X-Anyreach-Org header for personal access tokens.

Connecting an MCP client

Use either credential to connect a Model Context Protocol client to Anyreach.