Developer documentation

Build anything on Storylayer.

Storylayer's developer platform is built on standards: REST + JSON, OAuth 2.1, MCP, and HMAC-signed webhooks. Pick a starting point below.

Quickstart
5 min
Generate a Personal Access Token and make your first call in under two minutes.
REST API reference
20+ endpoints
Bearer-auth, JSON in / JSON out, scopes per token. The same surface the dashboard runs on.
MCP server
21 tools
Drive Storylayer from Claude Desktop, Claude.ai, ChatGPT, or any spec-compliant MCP client.
OAuth 2.1
DCR
PKCE, refresh-token rotation, RFC 7591 Dynamic Client Registration, and discoverable metadata.
Webhooks
5 events
HMAC-signed deliveries with exponential backoff retries. Subscribe a URL to story and moment events.
Rate limits
Per-token fixed-window limits with X-RateLimit-* headers and Retry-After on 429.
Scopes
Twelve fine-grained scopes that map to the actions an agent or integration can perform.

Base URLs

Storylayer runs at one production hostname. All API, MCP, and OAuth routes live on the same origin.

SurfaceURL
REST APIhttps://app.storylayer.ai/api/v1
MCP serverhttps://app.storylayer.ai/api/mcp
OAuth authorizationhttps://app.storylayer.ai/oauth/authorize
OAuth token endpointhttps://app.storylayer.ai/oauth/token
Authorization-server metadatahttps://app.storylayer.ai/.well-known/oauth-authorization-server
Protected-resource metadatahttps://app.storylayer.ai/.well-known/oauth-protected-resource

Authentication at a glance

Three token formats are accepted on the same auth header:

  • sl_pat_… — Personal Access Tokens, generated in the dashboard.
  • sl_oat_… — OAuth 2.1 access tokens, issued by /oauth/token.
  • sl_… — Legacy admin keys (back-compat only; new integrations should use PATs or OAuth).
Authorization: Bearer sl_pat_xxxxxxxxxxxxxxxxxx

Status & conventions

  • Successful responses are JSON with no envelope; 200 + payload.
  • Error responses always include an error object: { error: { code, message } }.
  • Common error codes: missing_token, invalid_token, expired_token, revoked_token, insufficient_scope, rate_limited.
  • Every successful request returns rate-limit headers: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset.