Authentication

Cookie sessions for browsers. Bearer tokens (API keys) for servers.

Cookie session (dashboard)

POST /api/auth/login with email/password. The API sets an HttpOnly auth_token cookie scoped to the API host. SameSite=Lax — works across the dashboard and direct API calls.

filed under · bash.bash

curl -c cookies.txt -X POST http://localhost:8000/api/auth/login \
  -H "content-type: application/json" \
  -d '{"email":"you@example.com","password":"..."}'
curl -b cookies.txt http://localhost:8000/api/auth/me

Bearer token (API keys)

Generate keys from Settings → API keys. Pass in the Authorization header:

filed under · bash.bash

curl -H "Authorization: Bearer sk_live_xxxxxxxx" http://localhost:8000/api/jobs

Keys carry the same permissions as your user. Revoke from Settings at any time — no propagation delay.

JWT internals

Cookie tokens are HS256 JWTs signed with SCRAPE_JWT_SECRET. Default lifetime is 7 days. Never share the secret, never check it in.

← PREVIOUS

REST API

Webhooks