Authentication

All API requests require an API token passed as a Bearer token in the Authorization header.

Getting a token

1. Sign in at app.instatollm.com
2. Navigate to API Tokens in the sidebar
3. Click Create token, enter a descriptive name, click Create
4. Copy the token immediately — it is shown only once

Tokens look like:

ist_aBcDeFgHiJkLmNoPqRsTuVwXyZ01

The ist_ prefix identifies it as an instatollm token.

---

Using the token

Include the token in every request:

Authorization: Bearer ist_your_token_here

curlPythonJavaScript

curl https://api.instatollm.com/api/v1/reels/42 \
  -H "Authorization: Bearer ist_your_token_here"

import httpx

client = httpx.Client(
    base_url="https://api.instatollm.com",
    headers={"Authorization": "Bearer ist_your_token_here"},
)

const headers = {
  Authorization: "Bearer ist_your_token_here",
  "Content-Type": "application/json",
};

---

Managing tokens

List tokens

Tokens are visible at app.instatollm.com/api-tokens. Each token shows its name, creation date, and last used time.

The actual token value is never shown again after creation — only the first 16 characters (ist_xxxx…) are displayed for identification.

Revoke a token

Click Revoke next to any token in the dashboard. Revocation is immediate — any in-flight requests with that token will fail.

---

Security best practices

• Give each integration its own token (one for n8n, one for Zapier, etc.)
• Revoke tokens that are no longer needed
• Never commit tokens to git — use environment variables
• Tokens do not expire, but you can rotate them at any time

---

Error responses

Status	Meaning
401 Unauthorized	Missing Authorization header
401 Unauthorized	Invalid or revoked token
403 Forbidden	Token valid but insufficient permissions

// 401 response body
{ "error": "invalid API token" }