Auth

Authentication

Prospero currently supports only one authentication method: personal access & refresh tokens, obtained through email/password authentication.

A valid access token is required on every request to the Prospero API. When your access token expires, you can use your refresh token to obtain a new access token.

Service Tokens & OAuth2 Coming Soon

We intend to support simple service tokens (for private integrations & scripts) as well as full OAuth2 authentication (for third-party applications) in the future.

Authentication Flow

Obtain initial access & refresh tokens

Send a POST request to /auth/login with your email and password. The response will contain your access token and refresh token in the Set-Cookie header. Here's an example of how to extract them with the curl built-in cookie jar:

Code
 
jar=$(mktemp)
curl -sS -c "$jar" \
    -X POST \
    -H "Content-Type: application/json" \
    -d '{"email":"[email protected]","plaintextPassword":"AnneHathaway"}' \
    https://api.prosperoapp.com/auth/login >/dev/null

accessToken=$(awk '$6=="accessToken"{print $7}' "$jar")
refreshToken=$(awk '$6=="refreshToken"{print $7}' "$jar")

printf 'accessToken=%s\n\nrefreshToken=%s\n' "$accessToken" "$refreshToken"
rm -f "$jar"

Store your access token and refresh token securely. Anyone who obtains these tokens will be able to act as you while interacting with the Prospero API.

Use your access token to access the Prospero API

Include your access token on all subsequent requests to the Prospero API in the Cookie header:
```
Code
 
curl -sS \
    -H "Cookie: accessToken=$accessToken" \
    https://api.prosperoapp.com/auth/whoami
```
Your access token is valid for 1 hour. If you attempt to access the Prospero API with an expired token, you'll receive a 401 Unauthorized response.
Refresh your access token

When your access token expires, you can use your refresh token to obtain a new access token. Send a GET request to /auth/refresh with your refresh token in the Cookie header. Extract the new access token from the Set-Cookie header:
```
Code
 
jar=$(mktemp)
curl -sS -c "$jar" \
    -X GET \
    -H "Cookie: refreshToken=$refreshToken" \
    https://api.prosperoapp.com/auth/refresh >/dev/null

accessToken=$(awk '$6=="accessToken"{print $7}' "$jar")

printf 'accessToken=%s\n' "$accessToken"
rm -f "$jar"
```
Your refresh token is valid for 7 days. When your refresh token expires, you'll receive a 400 Unable to verify refresh token response. You'll need to use /auth/login again to obtain a new refresh token to continue accessing the Prospero API.

Last modified on December 16, 2025

Webhooks Authorization

Authentication Flow

Obtain initial access & refresh tokens

Code
 
jar=$(mktemp)
curl -sS -c "$jar" \
    -X POST \
    -H "Content-Type: application/json" \
    -d '{"email":"[email protected]","plaintextPassword":"AnneHathaway"}' \
    https://api.prosperoapp.com/auth/login >/dev/null

accessToken=$(awk '$6=="accessToken"{print $7}' "$jar")
refreshToken=$(awk '$6=="refreshToken"{print $7}' "$jar")

printf 'accessToken=%s\n\nrefreshToken=%s\n' "$accessToken" "$refreshToken"
rm -f "$jar"

Store your access token and refresh token securely. Anyone who obtains these tokens will be able to act as you while interacting with the Prospero API.

Use your access token to access the Prospero API

Include your access token on all subsequent requests to the Prospero API in the Cookie header:
```
Code
 
curl -sS \
    -H "Cookie: accessToken=$accessToken" \
    https://api.prosperoapp.com/auth/whoami
```
Your access token is valid for 1 hour. If you attempt to access the Prospero API with an expired token, you'll receive a 401 Unauthorized response.
Refresh your access token

When your access token expires, you can use your refresh token to obtain a new access token. Send a GET request to /auth/refresh with your refresh token in the Cookie header. Extract the new access token from the Set-Cookie header:
```
Code
 
jar=$(mktemp)
curl -sS -c "$jar" \
    -X GET \
    -H "Cookie: refreshToken=$refreshToken" \
    https://api.prosperoapp.com/auth/refresh >/dev/null

accessToken=$(awk '$6=="accessToken"{print $7}' "$jar")

printf 'accessToken=%s\n' "$accessToken"
rm -f "$jar"
```
Your refresh token is valid for 7 days. When your refresh token expires, you'll receive a 400 Unable to verify refresh token response. You'll need to use /auth/login again to obtain a new refresh token to continue accessing the Prospero API.

Last modified on December 16, 2025