Meetso API

Authentication

Bearer-token auth with per-resource scopes. Keys are minted by org admins.

The Meetso public API uses bearer-token authentication over HTTPS. Every request to /public/v1/* must include:

Authorization: Bearer mts_live_…

Requests without a valid bearer return 401 unauthorized (no Authorization header) or 401 invalid_key (key revoked, expired, or not found).

Key format

Production keys look like:

mts_live_aB3xKp9NzQwErTyUiOpAsDfGhJkLmNbVcXz

The mts_live_ prefix is brand-recognizable, helps GitHub's secret scanner identify leaked keys, and reserves namespace for a future mts_test_ mode. Treat the entire string as opaque — don't try to parse or split it.

Minting and lifecycle

Keys are minted from the dashboard by org owners and admins:

  1. Settings → API Keys → Create key
  2. Pick a name and the scopes the integration needs (least privilege).
  3. Optionally set an expiration (Never / 30 / 90 / 365 days). Default 30.
  4. Save the plaintext immediately — it's shown once. We store only a SHA-256 hash, so we cannot recover a lost key.

You can revoke a key at any time. Revoked keys 401 immediately on the next request; there is no grace period.

There's no rotate operation — to rotate, mint a new key, swap it into your integration, then revoke the old one.

Scopes

Each key carries a list of scopes. Operations check for the specific scope they require — missing one returns 403 scope_missing.

ScopeGrants
meetings:readGET /public/v1/meetings, GET /public/v1/meetings/:id
transcripts:readGET /public/v1/transcripts/:id
recordings:readGET /public/v1/recordings/:id (incl. presigned URL)

We prefer per-resource scopes over a single coarse read so integrations can request only what they need. Adding new scopes (e.g., bots:write later) is non-breaking.

Storing keys safely

  • Server-side only. Don't ship keys to browser JavaScript or mobile apps. The public API is for backend integrations.
  • Use secret managers. AWS Secrets Manager, Vault, Doppler, or your platform's equivalent. Avoid .env files committed to git.
  • One key per integration. If a CRM sync and a data warehouse exporter both consume the API, give them separate keys with separate scopes. Revoking one won't affect the other.
  • Watch the dashboard's Last used column. If a key hasn't been used in months, revoke it — dormant keys are blast-radius for free.

Quickstart

Mint a key and pull your first meeting in five minutes.

Pagination

Cursor-based, stable under inserts. The same model used by Stripe and GitHub.

On this page

Key formatMinting and lifecycleScopesStoring keys safely