Authentication
Every request authenticates with an API key we issue to your organization.
Authorization: Bearer mag_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
- The key identifies your organization — you never send an org id; it's resolved from the key. All clients, documents, and submissions you create are scoped to your org, and a key can never see another org's data.
- Keys are prefixed
mag_. Treat them like a password: store in a secret manager, never commit them, never expose them in a browser. - Both
Authorization: Bearer mag_...and a baremag_...are accepted; prefer theBearerform.
Scopes
Each key is granted only the scopes it needs:
| Scope | Grants |
|---|---|
clients.read |
List/get clients |
clients.write |
Create/update/delete clients |
documents.write |
Upload documents |
submissions.read |
List/get submissions |
submissions.write |
Create submissions |
A request to an endpoint you're not scoped for returns 403.
Check your key
curl -s https://api.magnetictax.com/v1/organization \
-H "Authorization: Bearer $MAGNETIC_API_KEY"
{
"organization_id": "org_…",
"partner_name": "truss",
"scopes": ["clients.read", "clients.write", "documents.write", "submissions.read", "submissions.write"],
"default_tax_software": "Drake"
}
Need a key, more scopes, or a sandbox key? Talk to your Magnetic contact.