imgbt
Getting Started

Authentication

API key and session authentication for imgbt.

Authentication

imgbt supports two authentication methods: API keys for programmatic access and session cookies for the dashboard.

API Keys

Each vault has API key pairs consisting of a public key and a secret key.

Public Keys (pk_*)

  • Scope: Read-only access to assets in the bound vault
  • Usage: Safe for client-side code and public applications
  • Header: Authorization: Bearer pk_your_public_key

Secret Keys (sk_*)

  • Scope: Full read/write access to assets in the bound vault
  • Usage: Server-side only — never expose in client code
  • Header: Authorization: Bearer sk_your_secret_key
# Using a secret key
curl https://api.imgbt.com/v1/vaults/{vaultId}/assets \
  -H "Authorization: Bearer sk_your_secret_key"

Key Management

Create and revoke keys through the dashboard or API:

# List keys
GET /api/v1/vaults/{vaultId}/keys

# Create a new key pair
POST /api/v1/vaults/{vaultId}/keys
{ "label": "Production API", "type": "secret" }

# Revoke a key
DELETE /api/v1/vaults/{vaultId}/keys/{keyId}

When a key is revoked, it is immediately cached in Cloudflare KV for fast rejection at the edge.

Session Authentication

The dashboard uses magic link email authentication:

  1. User enters their email at /login
  2. A magic link is sent to their email
  3. Clicking the link creates a session cookie (__Host-session)
  4. The session is valid for 30 days with a 7-day sliding window refresh

Session auth provides access to all vaults the user has roles in, unlike API keys which are scoped to a single vault.

Quick Start

Upload your first image to imgbt in under 5 minutes.

Assets API

Upload, list, retrieve, update, and delete assets.

On this page

AuthenticationAPI KeysPublic Keys (pk_*)Secret Keys (sk_*)Key ManagementSession Authentication