Authentication
MeetBot uses JWT tokens and API keys for authentication.
Authentication Methods
1. API Keys (Recommended for Production)
API keys are long-lived tokens for server-to-server communication:
curl -H "Authorization: Bearer mb_a1b2c3d4e5f6..." \
https://api.meetbot.dev/v1/bots
2. JWT Tokens (User Sessions)
Short-lived access tokens for user sessions:
curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..." \
https://api.meetbot.dev/v1/bots
Creating an Account
Register with Email/Password
POST /auth/register
curl -X POST https://api.meetbot.dev/v1/auth/register \
-H "Content-Type: application/json" \
-d '{
"email": "you@example.com",
"password": "secure-password-123",
"name": "Your Name"
}'
Response:
{
"access_token": "eyJhbGciOiJIUzI1NiIs...",
"refresh_token": "eyJhbGciOiJIUzI1NiIs...",
"token_type": "bearer",
"user_id": "usr_abc123",
"email": "you@example.com",
"name": "Your Name"
}
OAuth Login
GitHub
GET /auth/oauth/github
Redirects to GitHub for authentication. After approval, redirects to:
/auth/callback?access_token=...&refresh_token=...
Google
GET /auth/oauth/google
Same flow as GitHub.
Login
POST /auth/login
curl -X POST https://api.meetbot.dev/v1/auth/login \
-H "Content-Type: application/json" \
-d '{
"email": "you@example.com",
"password": "your-password"
}'
Response:
{
"access_token": "eyJhbGciOiJIUzI1NiIs...",
"refresh_token": "eyJhbGciOiJIUzI1NiIs...",
"token_type": "bearer",
"user_id": 1,
"email": "you@example.com",
"name": "Your Name"
}
Token Refresh
Access tokens expire after 30 minutes. Use the refresh token to get a new one:
POST /auth/refresh
curl -X POST https://api.meetbot.dev/v1/auth/refresh \
-H "Content-Type: application/json" \
-d '{
"refresh_token": "eyJhbGciOiJIUzI1NiIs..."
}'
Response:
{
"access_token": "eyJhbGciOiJIUzI1NiIs...",
"token_type": "bearer"
}
Logout
POST /auth/logout
curl -X POST https://api.meetbot.dev/v1/auth/logout \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"
This endpoint returns a success response. Token invalidation is handled client-side by discarding the stored tokens.
API Keys
Create an API Key
POST /api-keys
curl -X POST https://api.meetbot.dev/v1/api-keys \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Production API Key",
"expiresAt": "2025-12-31T23:59:59Z"
}'
Response:
{
"id": 1,
"name": "Production API Key",
"key": "mb_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
"keyPreview": "mb_a1b2...a1b2",
"createdAt": "2024-01-15T10:30:00Z",
"expiresAt": "2025-12-31T23:59:59Z",
"isRevoked": false
}
caution
The full key is only shown once. Store it securely!
List API Keys
GET /api-keys
curl https://api.meetbot.dev/v1/api-keys \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"
Response:
{
"apiKeys": [
{
"id": 1,
"name": "Production API Key",
"keyPreview": "mb_a1b2...a1b2",
"createdAt": "2024-01-15T10:30:00Z",
"lastUsedAt": "2024-01-20T15:45:00Z",
"expiresAt": "2025-12-31T23:59:59Z",
"isRevoked": false
}
],
"total": 1
}
Revoke an API Key
DELETE /api-keys/{id}
curl -X DELETE https://api.meetbot.dev/v1/api-keys/1 \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"
Public Endpoints
Some endpoints do not require authentication:
| Endpoint | Description |
|---|---|
GET /share/{token} | Access a shared recording via public link |
POST /bot-callbacks/{id}/event | Internal bot container event reporting |
POST /webhook-receivers/* | Internal transcription service callbacks |
Security Best Practices
- Never expose API keys in client-side code
- Use environment variables for storing keys
- Rotate keys regularly in production
- Use short expiration for sensitive operations
- Revoke compromised keys immediately
- Use separate keys for development and production
Token Expiration
| Token Type | Expiration |
|---|---|
| Access Token | 30 minutes |
| Refresh Token | 7 days |
| API Key | Configurable (or never) |