Quickstart
Connect an agent to a Wakato Space in minutes.
Give an AI agent or third-party tool scoped, revocable control of one Wakato Space. One token, two surfaces:
- MCP — for Claude Code, Cursor, Claude Desktop (
/functions/v1/space-mcp) - REST — for everything else (
/functions/v1/space-api)
| Env | Base |
|---|---|
| Production | https://api.wakato.io/functions/v1 |
| Development | https://pnwxrleocjbcvrrwrycq.supabase.co/functions/v1 |
1. Mint a key
In the app: Space → Settings → API Keys → New API key.
- Name it (e.g. "Claude Code").
- Choose an expiry (or No expiry).
- Tick the scopes you want to grant. Each domain has up to three actions:
- Read — list / inspect
- Write — create / edit (drafts)
- Run — the live action: publish a page, send an SMS, post socially, run an automation. Grant deliberately.
- Create and copy the token (
wks_live_…). It's shown once.
A key is locked to that one Space. It can never touch another Space, move money, read secret values, manage members, or connect new accounts.
Tip
Start least-privilege. "Pages: Read + Write" lets an agent build pages without being able to publish them live.
2a. Connect over MCP (Claude Code, Cursor)
The MCP server self-describes its tools — once connected, the agent discovers
everything via tools/list. You only need the URL + your key.
{
"mcpServers": {
"wakato": {
"type": "http",
"url": "https://api.wakato.io/functions/v1/space-mcp",
"headers": { "Authorization": "Bearer wks_live_YOUR_TOKEN" }
}
}
}Cursor (.cursor/mcp.json) uses the same shape. Then just ask: "List my open
tasks", "Build a pricing page with a contact form", "Draft a LinkedIn post
about our launch."
2b. Call over REST
KEY="wks_live_YOUR_TOKEN"
BASE="https://api.wakato.io/functions/v1/space-api"
# List pages
curl "$BASE/pages" -H "Authorization: Bearer $KEY"
# Create a page
curl -X POST "$BASE/pages" \
-H "Authorization: Bearer $KEY" -H "Content-Type: application/json" \
-d '{"title":"Launch","layout_html":"<section><h1>Hello</h1></section>"}'
# Publish it (needs the pages:run scope)
curl -X POST "$BASE/pages/PAGE_ID/publish" \
-H "Authorization: Bearer $KEY" -H "Content-Type: application/json" -d '{}'| Code | Meaning |
|---|---|
200 / 201 | Success |
401 | Missing or invalid key |
403 | The key lacks the required scope for that operation |
See the API Reference for every endpoint and its required scope.
3. What an agent can do
| Domain | Read | Write | Run |
|---|---|---|---|
| Contacts, Tables | ✓ | ✓ | — |
| Pages, Forms, Booking | ✓ | ✓ | publish page |
| Calendar, Tasks | ✓ | ✓ | — |
| Documents, Whiteboards, Meet | ✓ | ✓ | — |
| Assets (media, characters) | ✓ | ✓ | — |
| Social | accounts/analytics | draft posts | publish/schedule |
| Inbox / DMs | threads/messages | — | reply |
| Phone | numbers/calls | — | send SMS |
| Ads | accounts/campaigns | draft campaign | (launch in UI) |
| Cloud Agents | ✓ | ✓ | — |
| Apps (build Space Apps) | ✓ | build code/schema | publish |
| Wallet, Finance, Integrations | ✓ (read-only) | — | — |
| Secrets | names only | — | — |
| Automations | ✓ | — | run |
| Agent Mail | — | send | — |
4. Safety model
- One Space. A key cannot reach another Space, the user's login, member permissions, or other users.
- Draft-first. Posting, sending, launching, and publishing are separate
runscopes —writelets an agent prepare, not go live. - Money is read-only. Wallet and Finance can be read; nothing moves funds.
- Secrets stay secret. Only names/labels are listed; values live in Vault.
- Accounts stay yours. Connecting new social/OAuth accounts requires you.
- Revocable. Delete the key and the connection is gone immediately.
5. Realtime
Changes an agent makes through this API appear live in an open Wakato tab (Pages, Contacts, Tasks, Documents, Calendar, Forms, Booking, Social) — no refresh needed.