All developer API requests should be made to:
https://whatsyour.info/api/v1Our API uses a simple, secure token-based authentication system.
A permanent secret key for server-to-server authentication.
Authorization: Bearer wyi_live_1234567890abcdef...Use this key ONLY to authenticate with the /api/v1/auth/login endpoint to get a short-lived JWT.
A short-lived token used to access protected user resources.
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...Obtained from the login endpoint. Use this for all calls to /api/v1/me.
Standard flow for applications acting on behalf of other users.
Authorization: Bearer oauth_access_token_...Use this when you need users to grant your app permission to access their data.
Complete reference for all available endpoints.
Access public data without authentication.
/api/v1/profile/{username}Get public profile information for a specific user.
{
"username": "johndoe",
"firstName": "John",
"bio": "Software engineer...",
"isProUser": true,
"links": [],
"design": {}
}/api/v1/avatars/{username}Get a user's avatar image.
Binary image data (e.g., image/png)Authenticate and get a short-lived token for further requests.
/api/v1/auth/loginExchange a permanent API Key for a short-lived JWT.
{}{
"message": "Authentication successful",
"token_type": "Bearer",
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"expires_in": 3600
}Manage the user profile associated with your access token.
/api/v1/meGet the complete profile of the authenticated user.
{
"_id": "...",
"username": "johndoe",
"email": "user@example.com",
"bio": "...",
"links": [
{
"title": "Portfolio",
"url": "..."
}
]
}/api/v1/meUpdate fields on the authenticated user's profile.
{
"firstName": "John",
"bio": "My updated bio.",
"links": [
{
"title": "My Website",
"url": "https://example.com"
}
],
"design": {
"theme": "nite"
}
}{
"message": "Profile updated successfully."
}Manage your own developer resources like API keys and OAuth apps.
/api/dev/statsGet usage statistics for your developer account.
{
"apiKeys": 1,
"oauthClients": 0,
"apiCalls": 150,
"rateLimit": "1,000/hr"
}/api/dev/keysList all of your API keys.
{
"keys": [
{
"_id": "...",
"name": "Production Key",
"key": "wyi_...",
"lastUsed": "..."
}
]
}/api/dev/keysCreate a new API key.
{
"name": "My New App Key"
}{
"message": "API key created successfully",
"key": {}
}/api/dev/keys/{keyId}Permanently delete an API key.
{
"message": "API key deleted successfully"
}Standard OAuth 2.0 Authorization Code flow for third-party applications to securely access user data on their behalf.
/oauth/authorizeThe first step of the OAuth flow. Redirect the user to this endpoint to request their permission for your application to access their data.
| Name | Type | Required | Description |
|---|---|---|---|
| client_id | string | Required | The Client ID of your registered OAuth Application. |
| redirect_uri | string | Required | The callback URL where the user will be sent after authorization. Must exactly match one of the URIs in your app settings. |
| response_type | string | Required | Must be the literal string "code". |
| scope | string | Required | A space-delimited list of permissions your app is requesting. Example: "profile:read email:read". |
| state | string | Optional | An opaque value used to prevent CSRF attacks. It will be returned to you in the redirect. |
Redirects the user to your `redirect_uri` with an authorization `code` and the original `state` in the query parameters upon success. On failure, it redirects with an `error` parameter./api/v1/oauth/tokenThe second step of the OAuth flow. Your server exchanges an authorization code or a refresh token for a new access token.
{
"grant_type": "\"authorization_code\" or \"refresh_token\"",
"client_id": "your_client_id",
"client_secret": "your_client_secret",
"//--- If": "grant_type is \"authorization_code\" ---",
"code": "the_authorization_code_from_the_redirect",
"redirect_uri": "the_exact_same_redirect_uri_from_the_first_step",
"//--- Or if": "grant_type is \"refresh_token\" ---",
"refresh_token": "the_refresh_token_from_a_previous_exchange"
}{
"access_token": "wyi_at_new_access_token...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "wyi_rt_a_brand_new_refresh_token...",
"scope": "profile:read email:read",
"//--- IMPORTANT!": "Refresh Token Rotation is enabled. Each time you use a refresh token, you will receive a NEW refresh token in the response. You MUST save this new one for future use, as the old one is immediately invalidated."
}API usage limits to ensure fair usage and system stability
Rate limit headers: All responses include rate limit information in headers:X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset
Standard HTTP status codes and error responses