Two Auth Patterns
| Pattern | How to pass credentials | Used for |
|---|---|---|
| Session cookie | Cookie set automatically on login | /auth/*, /payouts/*, /creators/* |
| Bearer API key | Authorization: Bearer YOUR_API_KEY | /sdk/init, /sdk/tip, /sdk/events |
Register
Create a new Tip Stack account. A session is established immediately on success — you do not need a separate login call.Request body
A valid email address. It must not already be registered on the platform.
Account password. Minimum 8 characters.
Display name for the account. Must be between 2 and 100 characters.
Response 200
true on a successful registration.The newly created user record.
Session credentials.
| Status | error value | Cause |
|---|---|---|
400 | "Invalid payload: Name must be 2-100 characters and password min 8 characters." | Validation failure |
409 | "Email already in use" | Duplicate account |
Login
Log in with an existing email and password. The server sets a session cookie and returns an access token.Request body
The registered email address.
The account password.
Response 200
Returns the same user and auth shape as Register above, populated with your existing account data.
| Status | error value | Cause |
|---|---|---|
400 | "Invalid payload" | Missing email or password |
401 | "Invalid credentials" | Wrong password or unknown email |
Get Current User
Fetch the profile of the currently authenticated user. Use this to verify a session is still valid or to refresh user data in your application.Authorization: Bearer <accessToken> header. No request body is needed.
Response 200
true when the session is valid.Full profile of the authenticated user.
| Status | error value | Cause |
|---|---|---|
401 | "Unauthorized" | No valid session found |
OTP (Email Code) Login
Tip Stack supports a passwordless login flow using a one-time code sent to the user’s email. Use this as an alternative to password-based login, or as a fallback for users who have not set a password.Send the code
Post the user’s email to start the OTP flow. Tip Stack generates a 6-digit code that expires in 10 minutes and emails it to the address.Response
The email address to send the one-time code to.
200| Status | error value | Cause |
|---|---|---|
400 | "Email required" | No email provided |
404 | "Account not found" | No account matches the email |
Verify the code
Submit the email and the 6-digit code the user received. On success, Tip Stack creates a session and returns the same Response
user and auth payload as a standard login.The same email address used in
/auth/otp/start.The 6-digit one-time code from the email.
200| Status | error value | Cause |
|---|---|---|
400 | "Invalid or expired code" | Wrong code or code past 10-minute expiry |
429 | "Too many failed attempts. Account locked for 15 minutes." | 5 failed attempts within the lockout window |
Each one-time code is valid for 10 minutes. After a successful verification the code is immediately invalidated and cannot be reused.
SDK API Key Auth
SDK endpoints (/sdk/init, /sdk/tip, /sdk/events) are designed for server-side integrations and embedded widgets. They do not use session cookies. Instead, pass your API key as a Bearer token on every request.
SDK endpoints validate your API key server-side. Use a key generated from your dashboard — do not share it publicly or commit it to version control.
Initializing an SDK session
Call/sdk/init from your backend to create a short-lived session token for a tipping widget embed. Pass the token to your frontend instead of your raw API key.
The creator’s wallet address,
.sol domain, or UUID (prefixed with auth_).The URL of the page embedding the widget. This must match a domain you have whitelisted in your creator dashboard.
localhost and 127.0.0.1 are always permitted for local development.Widget theme. Defaults to
"dark". Pass "light" for a light theme.200
A short-lived token in the format
sdk_sess_<uuid>. Use this as the Bearer value for /sdk/tip calls from the frontend.Widget configuration to pass to the embedded client.
| Status | error value | Cause |
|---|---|---|
400 | "creatorId and originUrl are required" | Missing required fields |
401 | "Missing or invalid API key" | No Bearer token or key too short |
403 | "Unauthorized Origin" | originUrl is not whitelisted |
404 | "Creator not found" | No creator matches the given creatorId |
Using the session token
Once your backend has received asessionToken from /sdk/init, pass it to your frontend and use it as the Bearer token for /sdk/tip calls:
