Authentication
API key, session, and rate limiting configuration for the Comicarr API.
Comicarr supports three authentication methods. The API is always enabled. An API key is auto-generated on first startup and can be regenerated in Settings > Web Interface.
Authentication Methods
Pass your API key in the X-Api-Key header:
curl -H "X-Api-Key: YOUR_API_KEY" http://localhost:8090/api/watchlistPass your API key as the apikey query parameter:
curl "http://localhost:8090/api?cmd=getIndex&apikey=YOUR_API_KEY"Authenticate via the login endpoint to receive a session cookie. Subsequent requests use the cookie automatically.
# Login and save the session cookie
curl -c cookies.txt -X POST http://localhost:8090/api/auth/login \
-H "Content-Type: application/json" \
-H "X-Requested-With: ComicarrFrontend" \
-d '{"username": "admin", "password": "your_password"}'
# Use the session cookie for API requests
curl -b cookies.txt http://localhost:8090/api/watchlistConfiguring the API Key
An API key is auto-generated when Comicarr first starts. To regenerate it:
- Open Settings > Web Interface in the Comicarr UI
- Click regenerate on the API key field
- Save settings
API key storage
The API key is auto-generated on first startup and stored in config.ini. It is never exposed in the UI after being set. You can regenerate it at any time from the settings page.
Session Endpoints
| Endpoint | Method | Description |
|---|---|---|
/api/auth/login | POST | JSON login (returns JWT session cookie) |
/api/auth/logout | POST | Invalidate current session |
/api/auth/check-session | GET | Verify if current session is valid |
/api/auth/setup | POST | First-run credential setup |
Rate Limiting
Failed authentication attempts are rate-limited per IP address:
| Parameter | Value |
|---|---|
| Max attempts | 5 |
| Lockout duration | 300 seconds |
After 5 failed attempts from the same IP, all authentication requests from that IP are rejected for 300 seconds. This applies to both API key and session-based authentication.