API authentication

Prime Bot's API is protected by Laravel Sanctum. You trade your dashboard credentials for a token once, then send that token on every subsequent request. Tokens can be scoped to a subset of abilities and revoked independently.

Base URL

https://prime-bot.live/api/v1

Issue a token

POST to /login with your email, password, and a device name. The abilities array is optional — leave it out to request the full set (*), or narrow it so a stolen token can do less damage.

curl -X POST https://prime-bot.live/api/v1/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "you@example.com",
    "password": "hunter2",
    "device_name": "ci-runner",
    "abilities": ["campaigns:read", "logs:read"]
  }'

Example response:

{
  "data": {
    "token": "7|Q3o9XgR...truncated...kv",
    "abilities": ["campaigns:read", "logs:read"],
    "user": {
      "id": 12,
      "email": "you@example.com",
      "name": "Jane Operator"
    }
  },
  "meta": {}
}

Send the bearer header

Put the token in an Authorization header on every protected request:

curl https://prime-bot.live/api/v1/campaigns \
  -H "Authorization: Bearer 7|Q3o9XgR...kv" \
  -H "Accept: application/json"

Available abilities

Revoke a token

POST to /logout with the token you want to kill in the bearer header. Only the current token is revoked; other tokens issued to the same user keep working.

curl -X POST https://prime-bot.live/api/v1/logout \
  -H "Authorization: Bearer 7|Q3o9XgR...kv"

Error responses

Authentication failures come back with a JSON body and standard HTTP status codes:

• 401 Unauthorized — missing, expired, or revoked token.
• 403 Forbidden — token is valid but lacks the required ability.
• 422 Unprocessable Entity — bad credentials at /login, with per-field errors under errors.