renzora
Game Engine

Authentication

All API requests require authentication via Bearer tokens in the Authorization header.

Token Types

Renzora uses two types of API tokens:

TypePrefixPurposeScope
User Token (JWT)eyJ...Browser sessions, login flowFull user context
API Tokenrz_Server-to-server, CLI toolsScoped by creation
App Tokenrza_Published apps/gamesApp-specific operations

Obtaining Tokens

User Tokens (JWT)

Authenticate via the login endpoint to receive a JWT:

curl -X POST https://renzora.com/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "[email protected]", "password": "your-password"}'

Response:

{
  "token": "eyJhbGciOiJIUzI1NiIs...",
  "user": {
    "id": "uuid",
    "username": "you",
    "email": "[email protected]"
  }
}

API Tokens

Generate API tokens from the Developers page or via the API:

curl -X POST https://renzora.com/api/tokens \
  -H "Authorization: Bearer eyJhbG..." \
  -H "Content-Type: application/json" \
  -d '{"name": "My CI Token"}'

Response:

{
  "token": "rz_a1b2c3d4e5f6...",
  "name": "My CI Token",
  "created_at": "2026-03-31T00:00:00Z"
}

Important: API tokens are shown only once at creation. Store them securely.

App Tokens

App tokens are created when you register an application:

curl -X POST https://renzora.com/api/apps \
  -H "Authorization: Bearer eyJhbG..." \
  -H "Content-Type: application/json" \
  -d '{"name": "My Game", "description": "An awesome game"}'

The response includes an rza_ prefixed token scoped to that app's operations.

Using Tokens

Include the token in the Authorization header for all API requests:

curl https://renzora.com/api/me \
  -H "Authorization: Bearer rz_a1b2c3d4e5f6..."

Token Revocation

Revoke a token by its ID:

curl -X DELETE https://renzora.com/api/tokens/{token_id} \
  -H "Authorization: Bearer eyJhbG..."

Error Responses

StatusMeaning
401 UnauthorizedMissing or invalid token
403 ForbiddenToken lacks required scope
429 Too Many RequestsRate limit exceeded