API Overview

Stack offers a REST API for backends & frontends of any programming language or framework. This API is used to authenticate users, manage user data, and more.

Authentication

The following authentication headers are common to every endpoint:

1curl https://api.stack-auth.com/api/v1/ \
2     -H "X-Stack-Access-Type: <either 'client' or 'server'>" \
3     -H "X-Stack-Project-Id: <your project UUID>" \
4     -H "X-Stack-Publishable-Client-Key: pck_<your publishable client key>" \
5     -H "X-Stack-Secret-Server-Key: ssk_<your secret server key>" \
6     -H "X-Stack-Access-Token: <the current user's access token>"
HeaderTypeDescription
X-Stack-Access-Type”client” | “server”Required. “client” (without quotes) for the frontend API, or “server” for the backend API.
X-Stack-Project-IdUUIDRequired. The project ID as found on the Stack dashboard.
X-Stack-Publishable-Client-KeystringRequired for client access. The API key as found on the Stack dashboard.
X-Stack-Secret-Server-KeystringRequired for server access. The API key as found on the Stack dashboard.
X-Stack-Access-TokenstringOptional. The access token for the current user. If not given, the request is considered to be logged out.

To see how to use these headers in various programming languages, see the examples.

FAQ

Any language that has the ability to send HTTP requests can use the Stack REST API. This includes JavaScript, Python, Ruby, Java, Go, C#, Dart, and many more.

Client access type is mostly used for client-side applications, like a browser or mobile app. The client APIs can only read and update the currently authenticated user’s data, and it is usually fine to post the publishable client key in the client-side code.

Server access type, on the other hand, is for your backend server that you control. It has full access over all user data, and the secret server key should never be exposed to client-side code.

For more information, see the concept documentation on StackApp.

If you’d like to build your own version of the Stack dashboard (or update project configuration programmatically), you can use the admin access type. These endpoints are very dangerous and you should only use them if you know what you’re doing.

For more information, see the concept documentation on StackApp.

Built with