Developer platform — live today

Drive Storylayer from any AI agent.

Public REST API, an MCP server for Claude and ChatGPT, OAuth 2.1 with Dynamic Client Registration, and signed webhooks. Built on standards. Shipped today.

Generate a token MCP setup →OAuth 2.1 Webhooks

REST endpoints

20+

/api/v1/*

MCP tools

Claude / ChatGPT / agents

Webhook events

HMAC-signed, retried

Auth methods

PAT · OAuth 2.1

PKCE + DCR

Quickstart

From zero to first call in two minutes.

Generate a Personal Access Token in your dashboard, pick a scope preset, and call any endpoint with a standard Authorization: Bearer header.

1. Generate a token

Visit /dashboard/developers, pick a scope preset (AI agent, read-only, publish-only), copy the token. Tokens are shown once and stored as SHA-256 hashes.

2. Make your first call

curl https://app.storylayer.ai/api/v1/health \
  -H "Authorization: Bearer sl_pat_..."

# {
#   "ok": true,
#   "user_id": "...",
#   "scopes": ["projects:read","stories:read",...],
#   "server_time": "2026-04-29T..."
# }

REST API

Same surface the dashboard uses.

Bearer-auth, JSON in / JSON out, scopes per token, every call audited (90-day retention). Project-scoped tokens are isolated to one project; account-scoped tokens see everything.

GET  /api/v1/projects

List projects you own

GET  /api/v1/templates

Visual templates per project

GET  /api/v1/social-connections

Connected accounts (no secrets)

GET  /api/v1/moments

Detected moments awaiting review

GET  /api/v1/stories

Drafts, scheduled, published

POST /api/v1/stories

Create a draft story

POST /api/v1/stories/:id/schedule

Pin a publish time

POST /api/v1/stories/:id/publish

Ship now

GET  /api/v1/media

Project asset library

POST /api/v1/media/from-url

Pull a remote image

GET  /api/v1/webhooks

List webhook endpoints

POST /api/v1/webhooks

Subscribe a URL

Available scopes

projects:readList + read project metadata

projects:writeUpdate project settings

templates:readList + read templates

connections:readList social/data connections (no secrets)

moments:readRead detected moments

stories:readRead draft/scheduled/published stories

stories:writeCreate + edit stories

stories:publishSchedule + publish stories

media:readList project media

media:writeUpload media

webhooks:readList webhook endpoints + deliveries

webhooks:writeCreate + manage webhook endpoints

Model Context Protocol

An MCP server for AI agents.

Streamable HTTP transport at https://app.storylayer.ai/api/mcp. 14 tools today, same auth as the REST API. Compatible with Claude Desktop, Claude.ai, ChatGPT custom connectors, and any spec-compliant MCP client.

Claude Desktop config

macOS

# ~/Library/Application Support/Claude/
#   claude_desktop_config.json
{
  "mcpServers": {
    "storylayer": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/inspector",
        "https://app.storylayer.ai/api/mcp"
      ],
      "env": {
        "MCP_HEADERS": "Authorization: Bearer sl_pat_..."
      }
    }
  }
}

Windows / Linux

# Windows: %APPDATA%\Claude\
#   claude_desktop_config.json
# Linux:   ~/.config/Claude/
#   claude_desktop_config.json
#
# Same JSON structure as macOS. Restart
# Claude Desktop after saving.
#
# After restart:
#   Settings → Developer → MCP Servers
# should show "storylayer" with all
# 14 tools enabled.

Tools available (14)

list_projectsEvery project the token can see

list_templatesVisual templates available to a project

list_social_connectionsConnected channels per project

list_momentsDetected moments awaiting review

list_storiesDrafts, scheduled, published

get_storyFull story payload + variants

create_storyDraft from template + data

schedule_storyPin a story to a specific time

publish_storyShip a story right now

list_mediaProject asset library

upload_media_from_urlPull a remote image into the library

list_webhooksAll endpoints subscribed to events

create_webhookSubscribe a URL to events

whoamiInspect the current token's principal + scopes

OAuth 2.1 + Dynamic Client Registration

One-click consent for hosted AI tools.

Building a Claude.ai connector, a ChatGPT GPT, or any hosted MCP client? Storylayer ships full OAuth 2.1 with PKCE, refresh-token rotation, RFC 7591 Dynamic Client Registration, and discoverable metadata. Your users sign in once, approve scopes, done — no token pasting.

GET  /.well-known/oauth-authorization-server

RFC 8414 metadata

GET  /.well-known/oauth-protected-resource

RFC 9728 metadata

POST /oauth/register

RFC 7591 client registration

GET  /oauth/authorize

Consent screen + PKCE

POST /oauth/token

Code exchange + refresh

POST /oauth/revoke

RFC 7009 revocation

# 1. Discover
curl https://app.storylayer.ai/.well-known/oauth-authorization-server

# 2. Register (no client_secret — we issue public clients)
curl -X POST https://app.storylayer.ai/oauth/register \
  -H 'content-type: application/json' \
  -d '{
    "client_name": "Acme AI Agent",
    "redirect_uris": ["https://acme.example/oauth/callback"],
    "grant_types": ["authorization_code","refresh_token"],
    "token_endpoint_auth_method": "none",
    "scope": "stories:read stories:write moments:read"
  }'

# 3. Send your user to /oauth/authorize with PKCE.
# 4. Exchange the code at /oauth/token.
# 5. Use the access token (sl_oat_...) on /api/v1/* and /api/mcp.

Webhooks

Push events to your stack.

Subscribe a URL to story and moment events. Every delivery is signed with HMAC-SHA256 in X-Storylayer-Signature and retried with exponential backoff (1m → 5m → 15m → 1h → 4h → 12h) before being marked permanent_failure. Manage from the dashboard or via the API.

story.scheduled

A story has a confirmed publish time

story.published

A story shipped successfully

story.failed

A scheduled story errored on send

moment.detected

A detector fired against your data

moment.auto_drafted

A high-severity moment turned into a draft

# Verify signature in your webhook receiver:
const sig = req.headers["x-storylayer-signature"];
const expected = crypto
  .createHmac("sha256", SIGNING_SECRET)
  .update(rawBody)
  .digest("hex");
const ok = crypto.timingSafeEqual(
  Buffer.from(sig, "hex"),
  Buffer.from(expected, "hex"),
);

Security

Built for least privilege.

Hashed tokens

Personal Access Tokens are stored as SHA-256 hashes — the raw token is shown once, never persisted.

Scope-locked

Tokens carry a fixed scope list. publish-only tokens can't read analytics, read-only tokens can't ship posts.

Project-scoped tokens

Restrict a token to one project so an AI agent can't touch the rest of your account.

Audited every call

Method, path, status, duration, IP, and user-agent are logged for 90 days.

Rotation + revocation

Refresh tokens rotate on every exchange. Revoke any token instantly from the dashboard.

Connection secrets stay local

Instagram, Facebook, X tokens are never returned through the API — only metadata.

Ready to plug in?

Get a token, point your AI tool at the MCP server, and start shipping posts from your data.

Generate a token Create an account