Every MikroTik router registered on the platform is issued a dedicated Router API Key — a signed JWT that the captive portal HTML page embeds and sends with every API call it makes. Because the key encodes the router’s identity and company membership directly in its payload, the API can scope each request to the correct tenant without a database user lookup. This page explains the key’s format, lifecycle, and all management operations available to aDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/sistemashm24/pagos_hotspot_api/llms.txt
Use this file to discover all available pages before exploring further.
super_admin.
Key Format
A Router API Key is a standard HS256-signed JWT prefixed with the literal stringjwt_:
jwt_ prefix lets the API distinguish a Router API Key from a session Bearer token in a single string comparison before any cryptographic work is performed. When validating, the prefix is stripped and the remaining JWT is decoded with JWT_APIKEY_SECRET.
JWT Payload
The following claims are embedded in every Router API Key at issuance (fromgenerar_api_key_jwt in app/api/admin/routers.py):
| Claim | Type | Description |
|---|---|---|
jti | string | Unique key identifier — e.g. key_abcd1234ef567890 |
iss | string | Always "mikrotik-payment-api" |
sub | string | The router_id this key belongs to |
empresa | string | The empresa_id (company) that owns the router |
iat | number | Unix timestamp when the key was issued |
exp | number | Unix timestamp when the key expires |
type | string | Always "router_api_key" |
Obtain and Use a Key
Create a router (super_admin only)
A Router API Key is generated automatically when you create a new router via Response:
POST /admin/empresas/{empresa_id}/routers. The full key is returned once in the api_key field of the response.Configure the captive portal page
Place the key in your captive portal HTML or JavaScript configuration so it is included in every API request:
Send the key on every captive-portal request
Pass the full key (including the The API will:
jwt_ prefix) in the Authorization: Bearer header:- Check that the credential starts with
jwt_. - Strip the prefix and decode the JWT using
JWT_APIKEY_SECRET. - Compute
SHA256(raw_jwt)and look up the hash in theapi_keys_trackingtable. - Confirm the record exists,
revoked == false, and the token is not expired. - Load the associated
EmpresaandRouterobjects and verify the company is active.
Validation Logic
When the API receives a request carrying ajwt_-prefixed credential, AuthHandler.authenticate_api_key (in app/core/auth.py) performs the following checks in order:
- Prefix check — The credential must start with
jwt_. Any other format returns401 Formato de API Key inválido. - JWT signature & expiry — The stripped token is decoded with
JWT_APIKEY_SECRET. An expired token returns401 API Key expirada; a tampered token returns401 API Key inválida. - Tracking lookup —
SHA256(raw_jwt)is computed and matched against thekey_hashcolumn inapi_keys_tracking. If no non-revoked record is found, the request is rejected with401 API Key no válida o revocada. - Company active check — The associated
Empresamust exist and haveactiva == true. - Usage update —
last_usedanduse_countare updated on every successful authentication.
Rotating a Key
If a key is lost, compromised, or needs periodic renewal, asuper_admin can regenerate it. The old key is immediately revoked and requests using it will fail.
Revoking a Key
To immediately invalidate a specific key without issuing a replacement:Checking Key Status
Inspect the current active key for any router — useful for diagnostics and proactive renewal monitoring:Key Management Endpoint Reference
| Method | Path | Description |
|---|---|---|
POST | /admin/empresas/{empresa_id}/routers | Create router and generate initial API Key |
POST | /admin/empresas/{empresa_id}/routers/{router_id}/regenerate-api-key | Revoke current key and issue a new one |
POST | /admin/empresas/{empresa_id}/routers/{router_id}/api-keys/{key_id}/revoke | Revoke a specific key without replacing it |
GET | /admin/empresas/{empresa_id}/routers/{router_id}/api-key-status | Check status and expiry of the active key |
GET | /admin/empresas/{empresa_id}/routers/{router_id}/api-keys | List all keys (active and historical) for audit |
super_admin session token in the Authorization: Bearer header.