API Authentication
The EU CAPTCHA platform exposes two separate APIs on two separate hostnames:
| API | Base URL | Purpose |
|---|---|---|
| Management API | https://api-app.eu-captcha.eu/myra-auto-app-api |
Sitekeys, statistics, user accounts, organisation management |
| Verification API | https://api.eu-captcha.eu |
Server-side CAPTCHA token verification |
Each API uses a different authentication scheme.
Bearer token (management API)
Requests to https://api-app.eu-captcha.eu/myra-auto-app-api (sitekeys, statistics, user data) are authenticated using a JWT Bearer token.
Authorization: Bearer <jwt-token>
Obtaining a token
Tokens are issued by the login endpoint:
Host: https://api-app.eu-captcha.eu/myra-auto-app-api
POST /login
Content-Type: application/json
{
"email": "user@example.com",
"password": "your-password"
}
Response:
{
"success": true,
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
Include the returned token value as the Authorization: Bearer header in subsequent API requests.
Token storage
Tokens are stored as an HTTP cookie (jwt-token) when using the web application. For direct API access, store the token securely (e.g. in memory or a secrets store) and pass it via the Authorization header.
Token expiry and refresh
Tokens expire after a session period. When a request returns HTTP 401, the token has expired. Re-authenticate via POST /login on https://api-app.eu-captcha.eu to obtain a new token.
Remember me (extended session)
To request a 30-day session cookie, include "rememberMe": true in the login request body.
Secret key (verification API)
Requests to https://api.eu-captcha.eu are authenticated using the sitekey's secret key passed in the request body — no Authorization header is used. See Server-Side Verification.
Host: https://api.eu-captcha.eu
POST /v1/verify
Content-Type: application/json
{
"sitekey": "EUCAPTCHA_SITE_KEY",
"secret": "EUCAPTCHA_SECRET_KEY",
"client_ip": "VISITOR_IP",
"client_token": "eu-captcha-response field value",
"client_user_agent": "VISITOR_USER_AGENT"
}
HTTP status codes
| Code | Meaning |
|---|---|
200 OK |
Request succeeded |
201 Created |
Resource created successfully |
204 No Content |
Request succeeded, no body (typically DELETE) |
400 Bad Request |
Malformed request or validation error |
401 Unauthorized |
Missing or invalid authentication token |
403 Forbidden |
Authenticated but not authorised for this resource |
404 Not Found |
Resource does not exist |
422 Unprocessable Entity |
Request body failed validation |
Content types
| Operation | Content-Type |
|---|---|
| POST / create | application/json or application/ld+json |
| PATCH / partial update | application/merge-patch+json |
| GET | — (no body) |
| DELETE | — (no body) |