Authentication
The RaceHooks API authenticates with OAuth 2.0 client credentials: you exchange a client_id and client_secret for a short-lived Bearer token. Before you can get those credentials you need a verified account. This page walks the full path — sign up, verify your email, get your credentials, and mint a token — and serves as the reference for every /v1/auth endpoint.
- Sign up — POST /v1/auth/signup
- Verify your email — POST /v1/auth/verify-email (also logs you in)
- Get your credentials — console API Keys page, or POST /v1/oauth/credentials
- Exchange them for a Bearer token — POST /v1/oauth
Sign up
Create an account. Email, password, and the three consent flags are required.
| Field | Type | Description |
|---|---|---|
email | string | Your email address. A verification link is sent here. |
password | string | 8–72 characters. |
tosAccepted | boolean | Must be true — accepts the Terms of Service. |
privacyAccepted | boolean | Must be true — accepts the Privacy Policy. |
aupAccepted | boolean | Must be true — accepts the Acceptable Use Policy. |
name | string? | Optional display name. |
502 with code email_delivery_failed — your account is still created, so retry with POST /v1/auth/resend-verification rather than signing up again.Verify your email
Verification is mandatory — you cannot log in or reach your credentials until it's done. The email contains a link to racehooks.io/verify-email?token=…; opening it verifies you. There are two API calls, and the distinction matters:
| Field | Type | Description |
|---|---|---|
GET /v1/auth/verify-email?token= | read-only | Checks whether a token is valid. Does NOT verify the account — safe for email scanners to prefetch. |
POST /v1/auth/verify-email | commit | Consumes the token, activates the account, and sets a session cookie. This is the one that verifies you. |
POST /v1/auth/resend-verification with your email sends a fresh one (and invalidates older links). It always returns 200so it can't be used to probe which emails have accounts.Get your credentials
Your client_id and client_secret are created with your account. Grab them from the API Keys page in the console, or fetch them programmatically with the session cookie set by verify-email (or login):
client_secretlike a password. It's retrievable while your session is valid; if it leaks, rotate it with POST /v1/console/regenerate-secret (which also invalidates any live Bearer tokens).Exchange credentials for a Bearer token
Post your credentials to /v1/oauth. The returned token is valid for 12 hours; include it as an Authorization: Bearer header on every protected request.
Logging in (session auth)
POST /v1/auth/login authenticates an existing, verified account with email and password and sets a session cookie. It is the entry point for the console and for POST /v1/oauth/credentials — it does not return a Bearer token. Use the client-credentials exchange above for API tokens.
Before verification, login returns 403 "Please verify your email before signing in". POST /v1/auth/logout clears the session.
Endpoint reference
| Field | Type | Description |
|---|---|---|
POST /v1/auth/signup | public | Create an account and send a verification email. |
POST /v1/auth/verify-email | public | Consume a token, verify the account, set a session cookie. |
GET /v1/auth/verify-email | public | Read-only token validity check (no side effects). |
POST /v1/auth/resend-verification | public | Resend the verification email for an unverified account. |
POST /v1/auth/login | public | Email + password → session cookie. |
POST /v1/auth/logout | session | Clear the current session. |
POST /v1/oauth/credentials | session | Return { clientId, clientSecret } for the logged-in account. |
POST /v1/oauth | public | Exchange client_id + client_secret for a Bearer token. |
Rate limits
The auth endpoints are rate-limited per IP: signup 5/10 min, login 10/5 min, resend-verification 3/10 min. When you exceed a limit the response is 429 with code rate_limit_exceeded and a Retry-After header (seconds) — back off for that long before retrying.