Authentication
Two auth mechanisms: JWT for platform APIs (api.e2a.bot), API keys for control plane (api.e2a.bot).
Auth Types
Bearer JWT
Short-lived token from /v1/auth/verify-otp. Used for api.e2a.bot routes (account, API keys, billing, dashboard).
Bearer API key
Long-lived key from /v1/api-keys. Format: e2a_live_.... Used for api.e2a.bot routes (sandboxes, sessions, secrets).
Request OTP
POST
api.e2a.bot/v1/auth/loginRequest a one-time password sent to your email. Creates account if new.
Request
curl -X POST https://api.e2a.bot/v1/auth/login \
-H "Content-Type: application/json" \
-d '{"email": "you@example.com"}'| Code | Meaning | When |
|---|---|---|
| 200 | OK | OTP sent (or queued) |
Verify OTP
POST
api.e2a.bot/v1/auth/verify-otpVerify the OTP code to receive a JWT.
Request
curl -X POST https://api.e2a.bot/v1/auth/verify-otp \
-H "Content-Type: application/json" \
-d '{"email": "you@example.com", "code": "123456"}'Response (200)
{
"token": "eyJ...", // JWT — use as Bearer token
"user_id": "usr_abc",
"email": "you@example.com"
}| Code | Meaning | When |
|---|---|---|
| 200 | OK | OTP valid, JWT issued |
| 401 | Unauthorized | OTP invalid or expired |
Create API Key
POST
api.e2a.bot/v1/api-keysCreate a new API key. The full secret is returned once — save it!
Request
curl -X POST https://api.e2a.bot/v1/api-keys \ -H "Authorization: Bearer eyJ..." # JWT from verify-otp
Response (201)
{
"key_id": "key_abc",
"key": "e2a_live_...", // SAVE THIS — only shown once!
"prefix": "e2a_live_abc"
}| Code | Meaning | When |
|---|---|---|
| 201 | Created | key issued |
List API Keys
GET
api.e2a.bot/v1/api-keysList all API keys. Secrets are NOT returned.
Response (200)
{
"api_keys": [
{
"key_id": "key_abc",
"prefix": "e2a_live_abc",
"revoked": false,
"created_at": "2026-04-18T12:34:56Z",
"plan_tier": "free"
}
]
}Revoke API Key
DELETE
api.e2a.bot/v1/api-keys/{id}Revoke an API key. Irreversible — revoked keys stop authenticating immediately.
Response (200)
{ "status": "revoked" }| Code | Meaning | When |
|---|---|---|
| 200 | OK | key revoked |
| 404 | Not found | no such key_id for this user |