Authentication

Bot Tokens

Every bot has a secret token. Include it in every REST API request as a Bearer token with the Bot prefix:

http

Authorization: Bot YOUR_TOKEN_HERE

Keep your token secret

Anyone with your bot token can control your bot. Never commit it to source control or expose it in client-side code. Use environment variables.

Regenerating a Token

If your token is compromised, go to Settings → Developer, find your bot, and click the Regenerate Token button (🔄). The old token is immediately invalidated.

Token Format

Bot tokens are opaque strings. Do not attempt to decode or parse them — the format may change.

WebSocket Authentication

When connecting to the WebSocket gateway, you authenticate during the handshake using an IDENTIFY message. See the WebSocket Gateway page for the full flow.

Example

typescript

const BASE_URL = 'https://app.fluffwire.com/api'
const TOKEN = process.env.FLUFFWIRE_BOT_TOKEN

const response = await fetch(`${BASE_URL}/channels/${channelId}/messages`, {
  method: 'POST',
  headers: {
    'Authorization': `Bot ${TOKEN}`,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({ content: 'Hello from my bot!' }),
})

Authentication ​

Bot Tokens ​

Regenerating a Token ​

Token Format ​

WebSocket Authentication ​