Authentication
Authenticated endpoints accept either your API key or a JWT, passed in the Authorization header. Public endpoints (the chat widget, public profiles, public booking) require no token.
Authorization: Bearer YOUR_API_KEY Content-Type: application/json
API key
Each account has a permanent API key (a 64-character hex string). It is returned in the user object from GET /api/v1/auth/me and on login, and is the simplest way to call the API from your own backend, scripts or mobile apps.
JWT (session token)
Logging in returns a JWT (HS256, valid 30 days by default). The dashboard and apps use it; you can also send it as the Bearer token. It is additionally set as an httpOnly cookie vx_token for server-rendered pages.
Endpoints
/api/v1/auth/register PublicCreate a new account. Email verification is required before the first login.
{
"email": "[email protected]",
"password": "at least 8 chars",
"name": "Jane",
"company": "Acme"
}{
"success": true,
"requires_verification": true,
"message": "Registration successful. Please check your email…"
}/api/v1/auth/login PublicExchange email + password for a JWT. The response also contains your account, including the API key.
{
"email": "[email protected]",
"password": "••••••••"
}{
"success": true,
"token": "eyJ…",
"user": { "id": 1, "email": "[email protected]", "plan": "pro", "api_key": "a1b2…", … }
}/api/v1/auth/me AuthReturn the current authenticated account (including the API key).
{
"success": true,
"user": { "id": 1, "email": "[email protected]", "name": "Jane", "plan": "pro", "role": "user", "api_key": "a1b2…" }
}401 Unauthorized. Keep your API key secret — anyone with it has full access to your account.