~2 min read
HTTP routes
Reference table for the HTTP API. Most custom sites only need the client/* routes from your server with the project secret.
Start here
With the server helper or your own HTTP client, call these from your backend — not from the browser:
| Method | Path | Auth | Notes |
|---|---|---|---|
| GET | /projects/client/extra-metadata | none | Project secret or client JWT |
| PATCH | /projects/client/extra-metadata | none | Project secret or client JWT |
| GET | /projects/client/session-verify | none | Check verify session: query projectId + Bearer project secret + Cookie (defaults qyzar_session_token, qyzar_session_id). See docs/session-verification. |
| POST | /projects/client/session-verify | none | Same as GET; body may include sessionId, sessionToken or rely on cookies forwarded from the browser. |
| POST | /projects/client/token | none | Mint browser client JWT: body.projectId + project secret. Optional sessionId + sessionToken (or Cookie) binds JWT expiry to the connect session. Optional metadata: identifier, email, phone, nested JSON. |
| GET | /projects/client/token-verify | none | Verify client JWT: query projectId + clientToken (or X-Qyzar-Client-Token / Bearer) + project secret. Returns valid, sessionId (when bound), and public metadata. |
| POST | /projects/client/token-verify | none | Same as GET; body projectId + clientToken. |
All routes
Show full list (56 routes)
| Method | Path | Auth | Notes |
|---|---|---|---|
| POST | /auth/2fa/create | none | — |
| POST | /auth/2fa/recovery | none | — |
| POST | /auth/2fa/verify | none | — |
| GET | /auth/me | user | Returns passwordAuth when the account uses email/password (not Google-only). |
| PATCH | /auth/password | user | — |
| POST | /auth/password-reset-confirm | none | — |
| POST | /auth/password-reset-request | none | — |
| POST | /auth/register | none | — |
| POST | /auth/signin | none | — |
| POST | /auth/verify-email | none | — |
| POST | /auth/verify-email/resend | none | — |
| POST | /billing/checkout | user | Body: planKey pro|enterprise; optional successUrl, cancelUrl. Server maps to STRIPE_PRICE_* env. Returns Checkout Session url. |
| GET | /billing/plans | user | Plan catalog: monthlyPriceCents, stripePriceId when configured; checkoutAvailable per tier. |
| POST | /billing/portal | user | Body: optional returnUrl. Stripe Customer Portal url. |
| GET | /billing/status | user | configured + hasCustomer when STRIPE_SECRET_KEY is set. |
| PATCH | /billing/subscription | user | Body: subscriptionId, newPriceId (must match STRIPE_PRICE_PRO or STRIPE_PRICE_ENTERPRISE); optional prorationBehavior. |
| POST | /billing/subscription/cancel | user | Body: subscriptionId; optional immediately (default false = cancel at period end). |
| POST | /billing/subscription/resume | user | Body: subscriptionId; clears cancel_at_period_end. |
| GET | /billing/subscriptions | user | Lists Stripe subscriptions for the signed-in user. |
| POST | /connect/reverify | none | Session JWT + entropy payload |
| GET | /opt-out/confirm | none | — |
| POST | /origin-tokens | user | — |
| POST | /origin-tokens/invalidate | user | — |
| GET | /origin-tokens/status | none | — |
| POST | /origin-tokens/verify | none | — |
| GET | /ping | none | — |
| DELETE | /projects | user | — |
| GET | /projects | user | — |
| PATCH | /projects | user | — |
| POST | /projects | user | — |
| GET | /projects/analytics | user | section=clusters|devices|browsers|sessions|traffic (Postgres traffic: region + platform) |
| GET | /projects/browser-data | user | — |
| POST | /projects/client/ato-add-identifier | none | Anti-ATO: append trusted identifier to device metadata |
| POST | /projects/client/ato-login-attempt | none | Anti-ATO: project secret; logs attempt, returns prior snapshot + score + lastLoginAt |
| POST | /projects/client/rate-limit-check | none | Project secret; IP + optional metadata buckets; optional settingsOverride and analytics on deny |
| GET | /projects/dashboard-summary | user | — |
| GET | /projects/detail | user | — |
| GET | /projects/devices-data | user | — |
| GET | /projects/entropy-snapshot | user | — |
| GET | /projects/extra-metadata | user | — |
| PATCH | /projects/extra-metadata | user | — |
| GET | /projects/overview-stats | user | — |
| POST | /projects/rate-limit/check | user | — |
| POST | /projects/secret/2fa | user | — |
| POST | /projects/secret/reveal | user | — |
| GET | /projects/settings | user | — |
| PATCH | /projects/settings | user | — |
| POST | /stripe/webhook | none | Stripe-signed webhook; raw JSON body. Persists billing_event_logs. |
| POST | /test/captcha | none | Dev / test captcha tooling |
Auth types are summarized in API basics. Dashboard routes use your Qyzar login; /projects/client/* uses the project secret.