Authentication
Auth & API Key Management
Create an account, verify your email, manage API keys, and recover access.
Signup
Create an account at trucore.xyz/signup or use the API:
bash
curl -sS https://api.trucore.xyz/auth/signup \
-H "Content-Type: application/json" \
-d '{"email": "you@example.com", "password": "your-secure-password"}'json
{
"token": "eyJhbGciOiJIUzI1NiIs...",
"tenant_id": "cust_a1b2c3d4e5f6",
"api_key": "atf_live_...",
"email_verified": false
}Signup creates a tenant, generates your first API key, and returns a JWT for authenticated requests. The API key secret is displayed only once - save it immediately.
Requirements
- Valid email address (disposable email domains are rejected)
- Password: minimum 8 characters
Login
Sign in via the web portal or the API:
bash
curl -sS https://api.trucore.xyz/auth/login \
-H "Content-Type: application/json" \
-d '{"email": "you@example.com", "password": "your-password"}'Returns a JWT token valid for 24 hours. Use the token in the Authorization: Bearer header for customer API calls (key management, receipts, dashboard).
Email Verification
After signup, a verification email is sent automatically. Click the link in the email or confirm via API:
bash
curl -sS https://api.trucore.xyz/auth/verify-email/confirm \
-H "Content-Type: application/json" \
-d '{"token": "TOKEN_FROM_EMAIL"}'| Endpoint | Description |
|---|---|
| POST /auth/verify-email/request | Resend verification email (requires JWT) |
| POST /auth/verify-email/confirm | Confirm email with token from inbox |
| GET /auth/verify-email/status | Check current verification state (requires JWT) |
Verification tokens expire after 24 hours. If your token has expired, request a new one from the portal or API.
API Key Management
API keys authenticate your bot or agent to the ATF protect and execute endpoints. Use your JWT to manage keys.
Create a Key
bash
curl -sS https://api.trucore.xyz/customer/keys \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_JWT_TOKEN" \
-d '{"label": "production-bot-v2"}'json
{
"key_id": "key_a1b2c3d4",
"tenant_id": "cust_a1b2c3d4e5f6",
"label": "production-bot-v2",
"status": "active",
"secret": "atf_live_...",
"created_at": "2026-03-21T00:00:00Z"
}The secret field is shown only once. Store it securely. If lost, revoke the key and create a new one.
List Keys
Returns all keys for your tenant. The secret hash is never exposed in list responses.
Rotate a Key
bash
curl -sS -X POST https://api.trucore.xyz/customer/keys/key_a1b2c3d4/rotate \
-H "Authorization: Bearer YOUR_JWT_TOKEN"Rotation revokes the old key and issues a new one in a single operation. The new secret is returned once - update your bot configuration immediately.
Revoke a Key
bash
curl -sS -X POST https://api.trucore.xyz/customer/keys/key_a1b2c3d4/revoke \
-H "Authorization: Bearer YOUR_JWT_TOKEN"Revocation is immediate. Any requests using the revoked key will be rejected.
Using API Keys
Include your API key in the X-API-Key header for protect and execution endpoints:
| Auth Method | Header | Used For |
|---|---|---|
| API Key | X-API-Key | Protect, execute, verify (bot/agent requests) |
| JWT Token | Authorization: Bearer | Key management, receipts, dashboard, account settings |
Account Recovery
If you forget your password, request a reset from the forgot password page or the API:
| Endpoint | Description |
|---|---|
| POST /auth/reset-password/request | Send reset email to registered address |
| POST /auth/reset-password/confirm | Set new password using reset token |
| POST /auth/reset-password/validate | Check if a reset token is still valid |
Reset tokens expire after 24 hours. New passwords must be at least 8 characters.
Security Notes
- Passwords are hashed with bcrypt - plaintext is never stored
- Tokens (verification, reset) are stored as SHA-256 hashes
- API key secrets are hashed after first display - store securely
- JWT tokens expire after 24 hours
- Rate limiting protects all auth endpoints from brute-force attempts