Authentication
All API requests require authentication using an API key. Please don't try to impersonate a web browser by using your session cookies, just use an API key.
Limitations
Certain endpoints that could be used for account takeover are restricted from general API access. This includes operations like changing your email address, managing passkeys, or other sensitive account security settings.
If you have a legitimate need for programmatic access to these endpoints and understand the risks, reach out and we can discuss options.
Getting an API Key
- Navigate to API Keys on the Dashboard
- Click Create New Key
- Copy your key immediately, it won't be shown again
Key Format
API keys are 384-bit keys that follow the format: thot_ak_{random_hex}. The prefix thot_ak_ identifies it as a Thotbot API key.
Internally, we store the key as a secure hash and it cannot be retrieved after creation.
Using Your API Key
Include your API key in the Authorization header using the Bearer token format.
Request Headers
AuthorizationrequiredFormat:
Bearer thot_ak_your_key_hereUser-AgentrecommendedA descriptive identifier for your application
curl -H "Authorization: Bearer thot_ak_your_key_here" \
https://thotbot.cc/v1/versionconst response = await fetch('https://thotbot.cc/v1/version', {
headers: {
'Authorization': 'Bearer thot_ak_abc123...',
'User-Agent': 'my-app/1.0.0'
}
});
const data = await response.json();User-Agent
Please include a descriptive User-Agent header with your requests. This helps us reach out if there's an issue with your integration.
User-Agent: your-app-name/version ([email protected])A good User-Agent includes:
- App name - what your application is called
- Version - so you can track which versions are in use
- Contact (optional) - email or URL so we can reach you if needed
We won't block requests without a User-Agent, but generic or missing User-Agents make it harder to debug issues on both ends.