Overview & authentication
Astreo is open at the edges: REST API, webhooks and MCP — on the same scoped view.
Astreo is open at the edges: you can reach the same scoped view as in the app programmatically — via three ways that complement each other.
Overview: REST, webhooks, MCP
- REST API — read data and trigger workflows (pull).
- Webhooks — Astreo notifies your system of events in real time (push).
- MCP server — AI assistants/agents connect via the Model Context Protocol (drafts, never auto-send).
All three run on the same scoped view: a credential sees only what it is allowed to.
Personal access tokens (PAT)
Authentication uses a personal access token. You create a token in the settings; it is shown only once and stored hashed on the server. Pass it as a bearer header:
Authorization: Bearer astreo_pat_xxxxxxxxTreat the token like a password. Revoke lost or compromised tokens in the settings.
Scopes & permissions
Tokens are scoped — they only get the rights you grant (e.g. read-only). A token can never see or do more than the user it belongs to.
Base URL & versioning
The public API is versioned. Base URL:
https://app.astreo.de/api/v1Responses are JSON. New fields may be added additively without breaking the version.