Authentication

Mittr supports two authentication methods. Both can be used simultaneously.

Include your API key in any of these locations (checked in order):

1. X-API-Key header (recommended)
2. Authorization: Bearer {key} header
3. ?key={key} query parameter (WebSocket only)

curl https://app.mittr.io/api/v1/events \
  -H "X-API-Key: mtr_your_key"

API keys are scoped to a client and optionally to a project. The project scope is resolved automatically from the key.

For browser-based access (dashboard), authenticate via email/password login:

# Login — sets mittr_session cookie
curl -X POST https://app.mittr.io/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "[email protected]", "password": "..."}' \
  -c cookies.txt

# Subsequent requests use the cookie
curl https://app.mittr.io/api/v1/events -b cookies.txt

Sessions expire after 24 hours by default.

• API keys: Project is embedded in the key. Resolved automatically during auth.
• Session auth: Send X-Project-ID header to scope requests to a specific project.

curl https://app.mittr.io/api/v1/endpoints \
  -b cookies.txt \
  -H "X-Project-ID: your-project-uuid"

Without project scoping, queries return data across all projects for the client.

The server checks authentication in order:

1. Session cookie (mittr_session) → if valid, authenticated
2. API key (X-API-Key / Bearer / ?key=) → if valid, authenticated
3. Neither → 401 Unauthorized

These endpoints require no authentication:

• POST /auth/signup, /auth/login, /auth/verify-email
• POST /auth/forgot-password, /auth/reset-password
• POST /auth/accept-invite
• POST /inbound/{pathSuffix} (inbound webhooks)
• POST /webhooks/billing (provider-signed)
• GET /health, /health/live, /health/ready
• GET /docs/, /openapi.yaml, /openapi.json