Documentation Index Fetch the complete documentation index at: https://cryptorobot.ai/docs/llms.txt
Use this file to discover all available pages before exploring further.
Overview Cryptorobot.ai supports multiple authentication strategies:
Strategy Use Case Method Local (Email + Password) User login from apps POST /authenticationGoogle OAuth Social login OAuth2 redirect flow JWT Bearer Token Authenticated API calls Authorization: Bearer <token>API Key Server-to-server / bots Authorization: ApiKey <key>
Login (Local Strategy) Exchange email and password for a JWT access token:
curl -X POST https://api.cryptorobot.ai/authentication \ -H "Content-Type: application/json" \ -d '{ "strategy": "local", "email": "user@example.com", "password": "your-password" }'
Response { "accessToken" : "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." , "authentication" : { "strategy" : "local" , "accessToken" : "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." }, "user" : { "_id" : "507f1f77bcf86cd799439011" , "email" : "user@example.com" , "name" : "John Doe" , "plan" : "pro" , "verified" : true } }
Using the Token Include the JWT token in the Authorization header for all authenticated requests:
curl https://api.cryptorobot.ai/strategies \ -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
Tokens expire after a configured TTL (default: 7 days). When a token expires, you’ll receive a 401 Not Authenticated error. Re-authenticate to get a fresh token.
Token Refresh Tokens can be refreshed by authenticating with the existing (still valid) token:
curl -X POST https://api.cryptorobot.ai/authentication \ -H "Content-Type: application/json" \ -H "Authorization: Bearer eyJ..." \ -d '{"strategy": "jwt", "accessToken": "eyJ..."}'
Google OAuth For web applications, redirect users to the Google OAuth flow:
GET https://api.cryptorobot.ai/oauth/google
After successful authentication, the user is redirected to your callback URL with the JWT token.
Logout Invalidate the current session:
curl -X DELETE https://api.cryptorobot.ai/authentication \ -H "Authorization: Bearer eyJ..."
This revokes the session server-side. The JWT will be rejected on subsequent requests.
Session Management List active sessions for the current user:
curl https://api.cryptorobot.ai/users/sessions \ -H "Authorization: Bearer eyJ..."
{ "total" : 3 , "data" : [ { "_id" : "session-id-1" , "userAgent" : "Mozilla/5.0..." , "ip" : "192.168.1.1" , "createdAt" : "2024-01-15T10:00:00Z" , "lastActive" : "2024-01-15T14:30:00Z" } ] }
Security Best Practices
Never expose JWT tokens in client-side JavaScript, URLs, or logs. Use httpOnly cookies or secure storage mechanisms.
For automated trading bots and server-to-server communication, use API keys instead of user credentials.
Rotate credentials regularly
Periodically rotate API keys and re-authenticate to minimize exposure from leaked credentials.
All API requests must use HTTPS. HTTP requests are rejected.
Email Verification New accounts must verify their email before full access is granted:
# Resend verification email curl -X POST https://api.cryptorobot.ai/auth-management \ -H "Content-Type: application/json" \ -d '{"action": "resendVerifySignup", "value": {"email": "user@example.com"}}'
Password Reset # Request password reset curl -X POST https://api.cryptorobot.ai/auth-management \ -H "Content-Type: application/json" \ -d '{"action": "sendResetPwd", "value": {"email": "user@example.com"}}' # Complete password reset (with token from email) curl -X POST https://api.cryptorobot.ai/auth-management \ -H "Content-Type: application/json" \ -d '{"action": "resetPwdLong", "value": {"token": "reset-token-from-email", "password": "new-password"}}'
