Skip to main content
🚧 Expanding soon β€” full Authentication documentation is in progress.

​
Operator token

Every Pro account gets an operator token. This token authenticates all API requests and associates them with your operator account. Token format: bm_live_β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’

​
Getting your token

  1. Sign up at bossmode.ing/signup
  2. Go to Settings β†’ API Token
  3. Copy your token

​
Using your token

Pass the token in the x-bossmode-token header on every request: 
curl -sH "x-bossmode-token: $BOSSMODE_API_TOKEN" \
  https://bossmode.ing/api/pro/context
Never pass the token as a query parameter β€” it will appear in server logs.

​
Storing your token safely

# Add to .env.local (gitignored)
echo "BOSSMODE_API_TOKEN=bm_live_your_token" >> .env.local

# Or export for the session
export BOSSMODE_API_TOKEN=bm_live_your_token
Never commit your token to a repository. Never log it. Never embed it in client-side code.

​
Token rotation

curl -sX POST https://bossmode.ing/api/pro/tokens/rotate \
  -H "x-bossmode-token: $BOSSMODE_API_TOKEN"
Rotation immediately invalidates the old token and returns a new one. Update your environment variables before the old token expires (60 second grace period).

​
Service-to-service calls

For internal service-to-service calls (e.g., from your own server to BossMode), use the BOSSMODE_SERVICE_KEY environment variable. This key bypasses rate limits and is not tied to a single operator account. Contact support for service key provisioning.

​
Token scopes

Future versions will support scoped tokens with fine-grained permissions. For now, all tokens have full operator access.

​
Errors

StatusCodeDescription
401UNAUTHORIZEDToken missing or invalid
403FORBIDDENToken valid but insufficient permissions
429RATE_LIMITEDExceeded rate limit for your tier