Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.cf0.ai/llms.txt

Use this file to discover all available pages before exploring further.

All cf0 API endpoints require authentication. cf0 uses Bearer token authentication — you pass your session JWT in the Authorization header with every request.

Getting your token

cf0 uses short-lived JWTs for authentication. Your session token is issued when you sign in and automatically renewed by the browser.
1

Sign in to cf0

Go to cf0.ai and sign in with your account credentials.
2

Retrieve the session token

Retrieve a fresh API token programmatically from the cf0 web app via the Clerk SDK:
const token = await window.Clerk.session.getToken();
This returns a short-lived JWT scoped to your active organisation. Always call getToken() immediately before each request rather than caching the result — tokens expire on the order of a minute and Clerk handles refresh automatically.
3

Pass the token in the Authorization header

Include the token on every API request:
Authorization: Bearer <your-token>

Request header format

Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
Content-Type: application/json

Example request

curl https://api.cf0.ai/api/auth/me \
  -H "Authorization: Bearer <your-token>"

Organisation context

Tokens are scoped to your organisation. The API automatically resolves your organisation from your token — you do not need to pass an org identifier separately. Some endpoints require organisation membership. If your token is not associated with an active organisation, those requests return HTTP 403 with: 
{ "detail": "Organization required" }

Session verification endpoint

You can verify a token and retrieve the current user’s identity with: 
POST /api/auth/session
GET  /api/auth/me
Both return: 
{
  "user_id": "usr_abc123",
  "email": "[email protected]",
  "name": "Your Name"
}

Error responses

StatusCause
401 UnauthorizedToken is missing, malformed, or expired
403 ForbiddenToken is valid but the resource requires organisation membership or admin role
An expired token returns: 
{ "detail": "Could not validate credentials" }
Keep your session token secret. Anyone who holds your token can make requests on your behalf. Do not commit tokens to source control or log them.

Token expiry

Clerk session tokens are short-lived (on the order of a minute) and refreshed automatically by the Clerk SDK in the browser. For long-running server-side integrations, call getToken() immediately before each request rather than caching — caching invites silent 401s. The POST /api/auth/session endpoint verifies the current token’s freshness if you need to check explicitly.