Authentication

The Lipafy API accepts three credential types. Choose based on the use case:

API key

Authorization: Bearer lip_live_... — your own scripts and agents. Mint at /dashboard/api-keys.

OAuth access token

Authorization: Bearer <jwt> — third-party apps spending from a user’s wallet. See Connected apps.

Session cookie

Cookie: lipafy_session=... — set automatically by the dashboard. Browser only.

Priority

If multiple credentials are present, Lipafy picks in this order:

  1. Authorization: Bearer <api-key-or-token> (whichever Bearer is sent)
  2. Cookie: lipafy_session=...

A request with a bad Authorization header does not fall through to the cookie — that would mask bugs.

API key format

lip_live_<32-character-base32>

Keys are owned by a specific account and paired with a grant. Each grant carries its own spending controls. Revoke at /dashboard/api-keys or via DELETE /v1/accounts/me/api-keys/:id.

Errors

errorHTTPCause
unauthenticated401No credential present
invalid_api_key401Malformed or unknown key
api_key_revoked401Key was revoked
api_key_expired401Key’s expiry passed
invalid_token401JWT didn’t verify
expired_token401Session or JWT expired
forbidden403Authenticated but not allowed (e.g. admin-only endpoint)
account_suspended403Account is suspended

Related: