Skip to main content
External servers authenticate with a PocketMusala Developer API key: 
Authorization: Bearer <api_key>
Raw keys include a non-secret visible prefix and a secret value: 
<visible_prefix>_<secret>
Only send keys in the Authorization header. Do not place keys in URLs, query parameters, browser code, mobile apps, crash reports, analytics, or logs.

Key Creation

API keys are created only in the authenticated PocketMusala Developer API portal. A mosque owner or permitted mosque manager signs in with their existing PocketMusala account, selects a mosque they can manage, chooses scopes, and creates a key for an external server. The public REST API does not expose key creation or permission-management endpoints.

Visibility And Storage

PocketMusala shows the raw key during creation and rotation. Copy it into a server-side secret manager immediately. Use one key per external system. Do not share one key between unrelated apps or vendors. Use the key prefix to identify which integration is making requests without exposing the secret portion of the key.

Scopes

ScopeMeaning
sync:readRead the mosque sync snapshot, profile, announcements, prayer rows, events, and capabilities.
sync:writeCreate or update approved mosque sync resources. Includes read access.
PocketMusala rejects requests when the key is valid but lacks the required scope.

Rotation

Rotate a key from the PocketMusala portal when a secret may have been exposed or when a server migration needs a fresh credential. Rotation returns a new raw key. The old key stops working immediately once it is rotated. Update the external server secret and run the quickstart verification requests again.

Revocation

Revoke a key from the PocketMusala portal when an integration is no longer in use or when immediate shutdown is required. Revoked keys return authentication errors and cannot be used for future syncs. Historical sync status remains visible in the portal for troubleshooting.