Loom is a fully managed service. You don’t install or run anything server-side — you call the Loom API over HTTPS and authenticate every request.

Base URL

https://api.loom.getmetacognition.com
All endpoints are versioned under /v1: 
https://api.loom.getmetacognition.com/v1/...

Get an API key

1

Sign in to the dashboard

Go to loom.getmetacognition.com and sign in to your workspace.
2

Create a key

Open Account → API keys and create a key. Copy it — it’s shown once.
3

Keep it secret

Treat the key like a password. Store it in an environment variable or a secrets manager, never in source control.
You can also create and revoke keys programmatically — see Account & billing.

Authenticate a request

Send your key as a bearer token on every request: 
curl https://api.loom.getmetacognition.com/v1/recall \
  -H "Authorization: Bearer $LOOM_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"question":"astrocyte calcium signalling","budget_tokens":8000}'

Tokens vs. API keys

Loom accepts two credential types — both as Authorization: Bearer <…>:

API keys

Long-lived, created in the dashboard. Best for servers and agents. Each key is bound to a workspace (org_id).

Session tokens (JWT)

Short-lived, issued by signup/login. Best for interactive apps. Expire after the workspace’s configured TTL.

Scoping

Every credential resolves to a workspace (org_id). Per-user operations (like user memory) also need a user_id — taken from the session token, or sent as the X-User-Id header alongside an API key.
Cross-workspace access is rejected, and per-user data is isolated by user_id. Founder/admin endpoints require an account explicitly granted founder access.

Errors

StatusMeaning
401Missing, invalid, or expired credential
403Authenticated, but not allowed (e.g. another user’s data, or a founder-only route)
429Rate limit exceeded — back off and retry

Make your first call

A five-minute walkthrough from key to recall.