Authentication
The Lipafy API accepts three credential types. Choose based on the use case:
API key
Authorization: Bearer lip_live_... — your own scripts and agents. Mint at /dashboard/api-keys.
OAuth access token
Authorization: Bearer <jwt> — third-party apps spending from a user’s wallet. See Connected apps.
Session cookie
Cookie: lipafy_session=... — set automatically by the dashboard. Browser only.
Priority
If multiple credentials are present, Lipafy picks in this order:
Authorization: Bearer <api-key-or-token>(whichever Bearer is sent)Cookie: lipafy_session=...
A request with a bad Authorization header does not fall through to the cookie — that would mask bugs.
API key format
Keys are owned by a specific account and paired with a grant. Each grant carries its own spending controls. Revoke at /dashboard/api-keys or via DELETE /v1/accounts/me/api-keys/:id.
Errors
Related:
