Skip to main content
The app authenticates with the VRChat API using HTTP Basic Auth on first login. The resulting auth cookie is stored locally in config.json and reused on subsequent launches to avoid re-entering credentials.
The auth cookie is stored in plaintext in config.json in the application directory. Do not use this application on shared machines or in environments where other users can read your files.

Login flow

1

Enter credentials

The login form presents username and password fields, and a “Remember me” checkbox. All network operations run on a background thread; the UI remains responsive throughout.
2

Send login request

The app sends a GET /auth/user request with HTTP Basic Auth (username and password). VRChat returns the auth cookie in the Set-Cookie response header and a JSON user profile in the body.
GET https://api.vrchat.cloud/api/1/auth/user
Authorization: Basic <base64(username:password)>
3

Check for 2FA requirement

If the response body contains a requiresTwoFactorAuth array, the app switches to the 2FA entry screen. The auth cookie from step 2 is retained in memory and used to verify the code.
4

Verify 2FA code (if required)

The user enters the TOTP code from their authenticator app, or a code from their email if VRChat returns emailOtp. The app posts the code to the appropriate endpoint:
POST /auth/twofactorauth/totp/verify      # TOTP authenticator
POST /auth/twofactorauth/emailotp/verify  # Email OTP

Body: { "code": "123456" }
5

Finalize session

After successful login (or 2FA verification), the app calls GET /auth/user again using the auth cookie to retrieve the user_id. The cookie and user ID are written to config.json if “Remember me” was checked.

Session validation on startup

If config.json contains a non-empty auth_cookie and remember_me is true, the app immediately sends a VerifyCookie request on startup — no credentials are required. This calls GET /auth/user with the stored cookie: 
GET https://api.vrchat.cloud/api/1/auth/user
Cookie: auth=<auth_cookie>
If the cookie is still valid, the session is restored silently. If the request fails, the login form is displayed.

Config file

The session state is persisted in config.json in the application directory: 
{
  "auth_cookie": "authcookie_...",
  "user_id": "usr_...",
  "last_login": "2024-01-15T10:30:00Z",
  "remember_me": true
}
FieldTypeDescription
auth_cookieStringThe VRChat auth cookie value (without the auth= prefix)
user_idStringThe authenticated user’s VRChat ID (usr_...)
last_loginString | nullRFC 3339 timestamp of the last successful login; null if remember-me was not used
remember_meboolWhether to persist the auth cookie across sessions
When “Remember me” is checked, auth_cookie and user_id are written to config.json after every successful login or 2FA verification. When unchecked, both fields are cleared from the file — even if a previous session was stored.

Ending a session

The app does not have an explicit logout button. To end your session:
  • Disable “Remember me”: If you log in without “Remember me” checked, the auth cookie and user ID are cleared from config.json when a new LoginSuccess response is received. The fields are wiped as part of the persist_login call.
  • Delete config.json: Remove the file to force the login screen on next launch.
  • Clear auth_cookie: Edit config.json and set auth_cookie to an empty string.
The VRChat API logout endpoint (DELETE /auth/user/logout) is not called by the app. The session is abandoned client-side only — the cookie may remain valid on VRChat’s servers until it expires naturally.

API endpoints reference

MethodEndpointPurpose
GET/auth/userLogin with Basic Auth; also used to verify an existing cookie
POST/auth/twofactorauth/totp/verifyVerify a TOTP 2FA code
POST/auth/twofactorauth/emailotp/verifyVerify an email OTP code

Build docs developers (and LLMs) love

Get started for freeTalk to us