Authentication

Every REST and MCP request is authenticated with a bearer API key. The same keys and the same store back the widget, the REST API, and the MCP server — there is one source of truth.

Key format

lsk_<slug>_<random>

lsk_ — fixed Locus prefix.
<slug> — your client slug, e.g. almapro.
<random> — 32 hex characters.

Example: lsk_almapro_a1b2c3d4e5f6...

Sending the key

Pass it as a bearer token:

Authorization: Bearer lsk_almapro_a1b2c3d4e5f6...

Always include the literal Bearer prefix. In the docs playground, the Authorize dialog adds it for you — paste only the raw key.

Errors

Status	Code	Meaning
401	`AUTH_MISSING`	No bearer token sent.
401	`AUTH_INVALID_FORMAT`	Token is not an `lsk_…` key.
401	`AUTH_INVALID_KEY`	Unknown or revoked key.
403	`AUTH_CLIENT_INACTIVE`	Key is valid but the client is disabled.

Rate limits

Usage is attached to your key. When a per-day quota is configured for your client, requests beyond it return 429 RATE_LIMIT. Contact Locus to adjust your quota.

OAuth is out of scope for v1 — API keys only.

Quickstart Capabilities overview

⌘I

​Key format

​Sending the key

​Errors

​Rate limits

Key format

Sending the key

Errors

Rate limits