API Access
Entry points for authentication, session handling, and the live API reference surfaces.
Live Reference
Use the runtime-resolved reference endpoints below for the authoritative API contract. These workflow pages are intended to complement the live reference, not replace it.
- API base
- waiting for runtime config
- Scalar endpoint
- waiting for runtime config
PixService supports two authentication modes:
- Browser sessions use HttpOnly cookies issued by the auth endpoints.
- Automation and third-party API clients use personal access tokens with
Authorization: Bearer.
Use the live reference above for the current OpenAPI contract and interactive Scalar requests.
Browser Sessions
Browser clients sign in through POST /v1/auth/login. Use GET /v1/auth/requirements first to discover registration, password, and MFA enforcement policy. A successful password or MFA flow sets:
pixservice_at: short-lived access token cookiepixservice_rt: refresh token cookiepixservice_td: trusted-device cookie when the user completes MFA withrememberDevice
The access token is not exposed to JavaScript. Session requests should use the browser cookie jar:
await fetch(`${apiBaseUrl}/v1/users/me`, {
credentials: 'include',
});Unsafe cookie-authenticated requests must come from the API origin or an explicitly allowed frontend origin. Cross-site requests without a trusted Origin or Referer header are rejected.
External API Clients
External clients should create a personal access token in the UI or through the PAT endpoints, then send it directly:
curl -H "Authorization: Bearer $PIX_PAT" "$API_BASE/v1/auth/tokens"Do not use browser session cookies for scripts, CLIs, server-side integrations, or workers.