Vexar API

Authentication

Authenticated endpoints accept either your API key or a JWT, passed in the Authorization header. Public endpoints (the chat widget, public profiles, public booking) require no token.

Authorization: Bearer YOUR_API_KEY
Content-Type: application/json

API key

Each account has a permanent API key (a 64-character hex string). It is returned in the user object from GET /api/v1/auth/me and on login, and is the simplest way to call the API from your own backend, scripts or mobile apps.

JWT (session token)

Logging in returns a JWT (HS256, valid 30 days by default). The dashboard and apps use it; you can also send it as the Bearer token. It is additionally set as an httpOnly cookie vx_token for server-rendered pages.

Endpoints

POST /api/v1/auth/register Public

Create a new account. Email verification is required before the first login.

Request body
{
  "email": "[email protected]",
  "password": "at least 8 chars",
  "name": "Jane",
  "company": "Acme"
}
Response
{
  "success": true,
  "requires_verification": true,
  "message": "Registration successful. Please check your email…"
}
POST /api/v1/auth/login Public

Exchange email + password for a JWT. The response also contains your account, including the API key.

Request body
{
  "email": "[email protected]",
  "password": "••••••••"
}
Response
{
  "success": true,
  "token": "eyJ…",
  "user": { "id": 1, "email": "[email protected]", "plan": "pro", "api_key": "a1b2…", … }
}
GET /api/v1/auth/me Auth

Return the current authenticated account (including the API key).

Response
{
  "success": true,
  "user": { "id": 1, "email": "[email protected]", "name": "Jane", "plan": "pro", "role": "user", "api_key": "a1b2…" }
}
Note: A missing or invalid token returns 401 Unauthorized. Keep your API key secret — anyone with it has full access to your account.