Authentication

API key, session, and rate limiting configuration for the Comicarr API.

Comicarr supports three authentication methods. All API access requires API_ENABLED=True and a valid API_KEY, both configured in Settings > General.

Authentication Methods

Pass your API key in the Api-Key header:

curl -H "Api-Key: YOUR_API_KEY" http://localhost:8090/rest/watchlist

Pass your API key as the apikey query parameter:

curl "http://localhost:8090/api?cmd=getIndex&apikey=YOUR_API_KEY"

Authenticate via the login endpoint to receive a session cookie. Subsequent requests use the cookie automatically.

# Login and save the session cookie
curl -c cookies.txt -X POST http://localhost:8090/auth/login_json \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": "your_password"}'

# Use the session cookie for API requests
curl -b cookies.txt http://localhost:8090/rest/watchlist

Configuring the API Key

  1. Open Settings > General in the Comicarr UI
  2. Set API_ENABLED to True
  3. Enter or generate an API_KEY
  4. Save settings

API key storage

The API key is stored in config.ini. It is not encrypted because it must be compared on every request, but it is never exposed in the UI after being set.

Session Endpoints

EndpointMethodDescription
/auth/loginPOSTForm-based login (redirects on success)
/auth/login_jsonPOSTJSON login (returns session token)
/auth/logout_jsonPOSTInvalidate current session
/auth/check_sessionGETVerify if current session is valid

Rate Limiting

Failed authentication attempts are rate-limited per IP address:

ParameterValue
Max attempts5
Lockout duration300 seconds

After 5 failed attempts from the same IP, all authentication requests from that IP are rejected for 300 seconds. This applies to both API key and session-based authentication.

API

Overview of Comicarr's REST and legacy API surfaces.

REST API

Modern JSON API with pagination and event streaming.

On this page

Authentication MethodsConfiguring the API KeySession EndpointsRate Limiting