Most API calls require an auth token to identity the signed-in user. Developers will pass tokens in the Authorization HTTP header. These tokens can be generated manually by the user on the Account → “App tokens” page, or returned as part of IndieAuth and other authentication flows.
Tokens might expire. Apps should call POST /account/verify to exchange an expiring token for a new token. We recommend verifying the token on app launch or once every few days.
If a token has no expiration but Micro.blog notices that a client app is calling /account/verify regularly, Micro.blog will automatically switch the token to be an expiring token.
There are a few forms of authentication to get a token. For the email sign-in authentication, primarily used for native mobile apps, you will be passed a temporary sign-in token that must be verified before it can be used in other API calls.
Send the temporary sign-in token in a form-encoded POST:
POST /account/verify
token=ABCDEFG
The response will include a new token that you should store in your app:
{
"token": "HIJKLMNOP",
"name": "Manton Reece",
"username": "manton",
"avatar": "https://micro.blog/manton/avatar.jpg",
"default_site": "manton.micro.blog",
"expires_at": "..."
}
If there was an error:
{
"error": "App token was not valid."
}
The /account/verify API call can also be used to verify an existing token you have in your app.