Skip to content

Setup guide

Minimum setup for calling Mandrel from scripts, backends, or HTTP clients.

API base

Point your client at this origin for all paths in the spec (unless you use a reverse proxy that prefixes routes).

https://devapi.mandrel.cloud

Calls without a session

These work with noAuthorization header unless the operation specifies otherwise:

  • POST /auth/register, POST /auth/login, refresh, logout, forgot/reset password

GET /health, feature flags, invitations, organizations, dashboard, and other product routes exist on the server but are not in the published OpenAPI file — see openapi.ts on the API.

Published OpenAPI: https://devapi.mandrel.cloud/api/docs/openapi.jsonIntegrations title, App title (same paths).

Authenticated calls

Session JWT (from browser login): send Authorization: Bearer <access_token>.

API token (for integrations): prefix mnd_… — only where the spec lists the API token scheme (typically collection routes). Many org endpoints are JWT-only.

Org-scoped routes need X-Organization-Id: <uuid> matching the org you intend to act in.

Create and revoke tokens in the app: Settings → API tokens.

Interactive explorer

Scalar lists only published operations. Other routes exist on the API but are intentionally omitted from OpenAPI. Open interactive spec →