Ghostly ships with two authentication methods that cover every integration scenario: API key authentication for long-lived, non-interactive clients such as the CLI, MCP server, and SDK; and JWT Bearer authentication for the web dashboard and any browser client that needs to stream live run events. Most protected endpoints accept either method transparently — the server resolves the caller’s identity from whichever credential is present.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Meza-dev/Ghostly/llms.txt
Use this file to discover all available pages before exploring further.
Method 1 — API Key (X-Api-Key header)
Pass your API key in the X-Api-Key header on every request:
••••••••.
Generate an API key:
Via the dashboard
Open the Ghostly dashboard, navigate to Settings → API Keys, and click Create. Give the key a descriptive label (e.g.
ci-pipeline or local-sdk), then copy the value shown — you won’t see it again.ghostly), MCP server (@ghostly-io/cli), the @ghostly-io/client SDK, direct curl scripts, and any CI integration.
Method 2 — JWT Bearer Token (Authorization header)
Obtain a JSON Web Token by calling POST /v1/auth/login, then attach it as a Bearer credential:
JWT_SECRET environment variable (default: "ghostly-secret") and are valid for 7 days from the time of issue. The payload contains the user’s id, email, role, issued-at (iat), and expiry (exp) timestamps.
Used by: web dashboard, and any client consuming the SSE event-stream endpoint.
The SSE run-events endpoint (
GET /v1/runs/:id/events/stream) accepts the JWT via a ?token= query parameter instead of the Authorization header. This is necessary because the browser’s native EventSource API does not support setting custom headers. Example URL:Endpoints
POST /v1/auth/login
Exchange an email address and password for a signed JWT. This endpoint is public — no prior authentication is required.
Request body
The user’s email address.
The user’s plaintext password. Ghostly hashes passwords at rest; the value is never stored or logged.
- curl
- JavaScript (fetch)
POST /v1/auth/register
Create a new user account. Requires an authenticated admin caller — only users with role: "admin" may register new accounts.
Authentication: JWT Bearer or API key (admin role required)
Request body
The email address for the new account. Must be unique — returns
409 if already registered.The plaintext password for the new account. Ghostly hashes it immediately on receipt.
Role to assign. Defaults to
"member" if omitted or any unrecognised value is passed.- curl
- JavaScript (fetch)
GET /v1/auth/me
Return the identity of the currently authenticated user. Useful for verifying that a token or API key is valid and resolving the associated user record.
Authentication: JWT Bearer or API key
- curl (JWT)
- curl (API Key)
@ghostly-io/client SDK
The official TypeScript client handles API key authentication for you. Construct a GhostlyClient with your baseUrl and apiKey — every subsequent SDK call will include the X-Api-Key header automatically.
EventSource cannot carry custom headers. Use client.runEventsUrl() to build the correct URL with the token embedded as a query parameter:
API Key Management
API keys are managed through the/v1/api-keys routes, which require JWT authentication. Refer to the table below for a quick summary, and see the API Keys reference for full endpoint documentation.
| Method | Path | Description |
|---|---|---|
GET | /v1/api-keys | List all keys (values are masked after the first 8 chars) |
POST | /v1/api-keys | Create a new key — full value returned only at creation |
DELETE | /v1/api-keys/:id | Permanently delete a key |