Authentication
Authenticate Management API requests with a Bearer token.
Send the full Management API key in the HTTP Authorization header:
curl https://api.blazeauth.net/api/v1/panel/get-applications \
-H "Authorization: Bearer $BLAZEAUTH_MANAGEMENT_API_KEY"Key format
Management API keys use this format:
blz_mgmt_<public_id>_<secret>public_id starts with bak_ and contains 16 alphanumeric characters after the prefix.
The secret part contains 48 alphanumeric characters.
Only the full key can authenticate. Blazeauth stores the public id, a keyed hash, and the last four characters. The plaintext key is shown once after creation and cannot be revealed again.
blz_mgmt_bak_0123456789abcdef_0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLStore the key immediately
If the one-time reveal is closed, the secret cannot be recovered. Revoke the key and create a replacement.
Dashboard session routes
The following routes are session-only:
| Method | Path | Reason |
|---|---|---|
GET | /api/v1/panel/api-keys | Key metadata is part of dashboard account settings. |
POST | /api/v1/panel/api-keys | API keys cannot mint other API keys. |
PATCH | /api/v1/panel/api-keys/:id | API keys cannot change their own permissions. |
POST | /api/v1/panel/api-keys/:id/revoke | API keys cannot revoke other API keys. |
Billing, password, email, two-factor authentication, avatar upload, and account deletion routes are also session-only.
Application restrictions
When a key is restricted to selected applications, every route with applicationId
checks both:
- the required scope;
- whether the key may access that application id.
Creating a new application requires applications:create and all-application access.
Errors
| Code | Meaning |
|---|---|
api_key_invalid | Missing, malformed, unknown, or mismatched key. |
api_key_expired | Key exists but is past its expiration time. |
api_key_revoked | Key was revoked. |
insufficient_scope | Key does not include the required scope. |
application_forbidden | Key is restricted away from the requested application. |
session_required | Endpoint only accepts a dashboard session. |