Authentication¶

Every request except signup, login, and parameter listing requires authentication via the Authorization header.

Three methods¶

API key (recommended for scripts)¶

Returned at signup. Does not expire. One key per account.

Authorization: Bearer pdw_5744cde4941d3f9160f3bd03771786378d97ff67f5401de3

JWT (recommended for browser sessions)¶

Returned at signup and login. Expires after 72 hours.

Authorization: Bearer eyJhbGciOiAiSFMyNTYi...

To get a fresh token, call the login endpoint:

curl -s https://page-dewarp-api.louismmx.workers.dev/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "you@example.com", "password": "your-password"}' | jq .

The browser app uses Google sign-in. You can also use it via the API by sending a Google ID token:

curl -s https://page-dewarp-api.louismmx.workers.dev/api/auth/google \
  -H "Content-Type: application/json" \
  -d '{"id_token": "eyJhbGciOi..."}' | jq .

Response for a new user:

{
  "token": "eyJ...",
  "api_key": "pdw_...",
  "claim_url": "https://..."
}

Response for a returning user:

{
  "token": "eyJ...",
  "api_key": "pdw_..."
}

If the Google account's email matches an existing password-based account, the accounts are linked automatically.

Which to use¶

Scenario	Method
Shell scripts, CI/CD, backend integration	API key
Browser-based frontend	Google sign-in or JWT
Testing / quick experiments	Either — API key is simplest

Error responses¶

A missing or invalid credential returns:

{"error": "Unauthorized"}

Status code: 401.