Two Minute Reports Logo
Try for freeLogin
API Reference

Authentication

Authenticate Two Minute Reports API requests with a bearer token, and learn how to create one.

The Two Minute Reports API authenticates every request with a bearer token — an API key you create from your account. Pass it in the Authorization header:

curl https://api.twominutereports.com/v1/users/me \
  -H "Authorization: Bearer tmrc_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

There is no cookie- or session-based authentication for the API — the token is the only credential.

Getting an API key

Create and manage API keys from the API Keys tab in your account settings.

Open the API Keys settings

Go to hub.twominutereports.com/settings?tab=api-keys and click New key.

Configure the key

In the Create API key dialog:

  • Key name — a label to help you recognise the key later (e.g. My API Integration).
  • Intended use — select API.
  • Expiry — optionally choose when the key should expire (No expiry, 30 days, 90 days, or 1 year). Leave it as No expiry for a key that never expires.

Then click Create key.

Copy your key

The key is shown once. Copy it immediately and store it somewhere safe — it cannot be retrieved again. When you're done, click Done.

The full key is shown only once, right after you create it. If you lose it, revoke the key and create a new one.

Managing keys

Keys and sessions are managed from your account settings, where you can create, edit, and revoke them. The public API does not expose key or session management.

Permissions

By default an API key has full access — it can do anything you can. When you create (or edit) a key you can restrict it to a set of scopes, written as <resource>:<action>.

  • Actions: read, write (create/update), delete.
  • Resources: account, teams, connections, connectors, clients, data, platform.

Every endpoint page lists the scope it needs as its Permission. A key is allowed if it holds that scope (or a wildcard such as clients:*, *:read, or *:*). Unrestricted (full-access) keys are unaffected.

Only these resource/action combinations exist:

Resourcereadwritedelete
account
teams
connections
connectors
clients
data
platform
The account scope covers your profile and preferences only. Session and API-key management are not available through the public API — do that from your account settings.

If a key is missing the scope a route requires, the API responds with 403 Forbidden and names the missing scope (and how to grant it):

{
  "success": false,
  "error": {
    "code": "INSUFFICIENT_PERMISSIONS",
    "message": "This API key is missing the `clients:delete` permission required for this endpoint. Grant it to the key under Settings → API Keys (https://hub.twominutereports.com/settings?tab=api-keys), or use a key that has it."
  }
}

Token format

API keys begin with tmrc_live_ followed by 32 random characters — 42 characters in total.

tmrc_live_aB3dEfGhIjKlMnOpQrStUvWxYz123456

Unauthenticated requests

A request fails with 401 Unauthorized if the Authorization header is missing, malformed, or the key is invalid, expired, or revoked.

{
  "success": false,
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Authentication required"
  }
}
To avoid leaking whether a specific key exists, all authentication failures return the same generic 401 message.

API Reference

The Two Minute Reports REST API — authenticate with a bearer token and programmatically manage teams, connections, clients, and run data queries.

Rate limits

Request quotas for the Two Minute Reports API and how to handle the 429 Too Many Requests response.

Copyright © 2026