Authentication & conventions

Authentication

API key (scripting, recommended)

Your permanent API key lives in Profile → API key. Its format is {user_id}-{user_api}, for example 42-d3adb33f….

Pass it as a query parameter — this works on every endpoint, including POST:

curl "https://my.altercpa.top/api/profile/info.json?id=42-d3adb33f…"

Or as a Bearer token in the Authorization header:

curl -H "Authorization: Bearer 42-d3adb33f…" \
     "https://my.altercpa.top/api/profile/info.json"

The API key never expires. You can rotate it from Profile or via profile/apikey; the old key stops working immediately.

Session token (dashboard)

The dashboard SPA uses a short-lived session token issued after Telegram login. It is sent the same way (Authorization: Bearer {token}). You won’t need this for scripting.

Conventions

GET for reads, POST for writes. No exceptions.
Every response is HTTP 200 with Content-Type: application/json, regardless of success or failure. Check the status field, not the HTTP code.

Every response is a JSON object:

{ "status": "ok",    "data": { … } }
{ "status": "error", "error": "code" }

Endpoints end in .json (e.g. profile/info.json).
POST bodies can be JSON (Content-Type: application/json) or form-encoded (application/x-www-form-urlencoded).
The ?id= auth param is always a query string parameter, even on POST endpoints.

Framework errors

Any endpoint can return these errors.

`error`	Meaning
`key`	Missing or invalid API key
`ban`	Account suspended
`func`	Unknown endpoint path
`db`	Database error — retry; contact support if it persists
`unpaid`	Subscription lapsed, grace period expired

Grace period: when a subscription lapses, the dashboard stops working immediately, but the public API stays live for a further 7 days. After those 7 days, all authenticated endpoints return unpaid. See Billing & tariffs for the full expiry timeline.

Endpoint-specific errors (exists, limit, token, webhook, unreachable, …) are listed on each resource page.

API overview Profile & tracker