Setup guide
Minimum setup for calling Mandrel from scripts, backends, or HTTP clients.
API base
Point your client at this origin for all paths in the spec (unless you use a reverse proxy that prefixes routes).
https://devapi.mandrel.cloudCalls without a session
These work with noAuthorization header unless the operation specifies otherwise:
POST /auth/register,POST /auth/login, refresh, logout, forgot/reset password
GET /health, feature flags, invitations, organizations, dashboard, and other product routes exist on the server but are not in the published OpenAPI file — see openapi.ts on the API.
Published OpenAPI: https://devapi.mandrel.cloud/api/docs/openapi.json — Integrations title, App title (same paths).
Authenticated calls
Session JWT (from browser login): send Authorization: Bearer <access_token>.
API token (for integrations): prefix mnd_… — only where the spec lists the API token scheme (typically collection routes). Many org endpoints are JWT-only.
Org-scoped routes need X-Organization-Id: <uuid> matching the org you intend to act in.
Create and revoke tokens in the app: Settings → API tokens.
Interactive explorer
Scalar lists only published operations. Other routes exist on the API but are intentionally omitted from OpenAPI. Open interactive spec →