Authenticating users with the portal API
Overview
API key authentication allows you to automatically sign in users by including an authentication token in the URL. This is useful for:
Creating magic login links
Embedding quests in external applications
Deep-linking directly to protected content
How It Works
When a valid API key is provided as a query parameter in the URL, the system will:
Validate the key against our backend
If valid, automatically sign in the associated user
Redirect to the same URL but with the token removed (for security)
Store the user session in a cookie, allowing continued access without the API key
Once the user has been authenticated, they remain signed in via the session cookie, not the API key. This means:
The API key is only needed for the initial authentication
You can use very short expiration times for your API keys (even minutes or seconds)
After authentication, the user has a normal session just like any other login method
Generating API Keys
To generate an API key, use the External User Lookup API endpoint on your community's domain:
Important: Replace
your-community-slug
with your actual community slug (e.g., if your community is atacme.domino.page
, use that domain for the API request).
Request Parameters
externalId
String
Required. The unique identifier for this user in your system
keyName
String
Optional. A name for this API key (defaults to "External API Key for [community]")
keyExpiresInDays
Number
Optional. How long the key should be valid in days (defaults to 30 days)
keyExpiresInSeconds
Number
Optional. How long the key should be valid in seconds. Takes precedence over keyExpiresInDays
if both are provided
You may also provide any of these optional identifiers to link accounts:
discordId
twitterId
telegramId
zealyUserId
wallet
Response
Example Request
Using the API Key in URLs
To authenticate a user with an API key, include the key as an authToken
query parameter in your community's domain:
When the user visits this URL, they will be:
Automatically authenticated
Redirected to the same URL without the token parameter
Granted a session cookie for continued access
Security Considerations
API keys are sensitive credentials and should be treated securely
Each key is linked to a specific user and should not be shared
API keys can have very short expiration times since they're only needed for initial authentication
Consider using
keyExpiresInSeconds
for one-time use links with very short lifetimes (minutes or even seconds)The redirect ensures the token isn't stored in browser history
After authentication, the normal session cookie security applies
Last updated