API Access

Entry points for authentication, session handling, and the live API reference surfaces.

Live Reference

Use the runtime-resolved reference endpoints below for the authoritative API contract. These workflow pages are intended to complement the live reference, not replace it.

API base
waiting for runtime config
Scalar endpoint
waiting for runtime config

PixService supports two authentication modes:

  • Browser sessions use HttpOnly cookies issued by the auth endpoints.
  • Automation and third-party API clients use personal access tokens with Authorization: Bearer.

Use the live reference above for the current OpenAPI contract and interactive Scalar requests.

Browser Sessions

Browser clients sign in through POST /v1/auth/login. Use GET /v1/auth/requirements first to discover registration, password, and MFA enforcement policy. A successful password or MFA flow sets:

  • pixservice_at: short-lived access token cookie
  • pixservice_rt: refresh token cookie
  • pixservice_td: trusted-device cookie when the user completes MFA with rememberDevice

The access token is not exposed to JavaScript. Session requests should use the browser cookie jar:

await fetch(`${apiBaseUrl}/v1/users/me`, {
  credentials: 'include',
});

Unsafe cookie-authenticated requests must come from the API origin or an explicitly allowed frontend origin. Cross-site requests without a trusted Origin or Referer header are rejected.

External API Clients

External clients should create a personal access token in the UI or through the PAT endpoints, then send it directly:

curl -H "Authorization: Bearer $PIX_PAT" "$API_BASE/v1/auth/tokens"

Do not use browser session cookies for scripts, CLIs, server-side integrations, or workers.

On this page