LumireCRM

Docs · Auth

Auth & API keys

LumireCRM accepts two credential types interchangeably on every /v1/* route:

  • Session cookie (lumirecrm_session) — what the browser admin and trader portal use. Issued by POST /v1/auth/login, lives in an HttpOnly + Secure cookie.
  • API key (X-API-Key: lum_live_…) — for machine-to-machine integrations. Argon2id-hashed at rest; the plaintext is shown once at creation.

Session login

curl -i -X POST 'http://143.110.171.125:4000/v1/auth/login' \
  -H 'Content-Type: application/json' \
  -d '{"email":"admin@acme.fx","password":"ChangeMe123!"}'

# Set-Cookie: lumirecrm_session=...; HttpOnly; Path=/; SameSite=Lax

API keys

Create / list / revoke at /api-keys in the admin UI. Each key has a label and a scope set. Revocation is instant — there is no in-memory cache.

# create
curl -X POST 'http://143.110.171.125:4000/v1/api-keys' \
  -b 'lumirecrm_session=...' \
  -H 'Content-Type: application/json' \
  -d '{"label":"backoffice", "scopes":["traders:read","payments:write"]}'

# the response includes "key": "lum_live_..." — store it now, you cannot retrieve it later.

Rate limits

Buckets are keyed by API-key id when present, else tenant id, else client IP. Three named tiers:

  • short — 20 requests / 1s
  • medium — 300 requests / 60s
  • long — 5,000 requests / 1h

Every response includes X-RateLimit-Tracker so you can see which bucket you are hitting, plus the standard X-RateLimit-Limit-* / -Remaining-* / -Reset-* headers per tier.

Sessions management

Trader / admin can list active sessions and revoke individual devices or log out everywhere:

curl -b 'lumirecrm_session=...' http://143.110.171.125:4000/v1/auth/sessions
curl -X DELETE -b 'lumirecrm_session=...' http://143.110.171.125:4000/v1/auth/sessions/{id}
curl -X POST   -b 'lumirecrm_session=...' http://143.110.171.125:4000/v1/auth/sessions/revoke-all

See API reference for every endpoint with snippets in your language.