`POST /v1/auth/magic/mint` — internal endpoint the bot calls when a user runs `/web`. Authenticates via `x-internal-secret` (constant-time compare against `BOT_INTERNAL_SECRET`). Inserts a fresh nonce row and returns it. No JWT is issued here

POST

auth

magic

mint

`POST /v1/auth/magic/mint` — internal endpoint the bot calls when a user runs `/web`. Authenticates via `x-internal-secret` (constant-time compare against `BOT_INTERNAL_SECRET`). Inserts a fresh nonce row and returns it. No JWT is issued here — that happens on consume.

curl --request POST \
  --url https://api.pegana.xyz/v1/auth/magic/mint \
  --header 'Content-Type: application/json' \
  --header 'x-internal-secret: <x-internal-secret>' \
  --data '
{
  "telegram_id": 123
}
'

{
  "expires_at": "2023-11-07T05:31:56Z",
  "nonce": "<string>"
}

Headers

x-internal-secret

string

required

Shared secret (BOT_INTERNAL_SECRET); bot-only, not a user bearer token

Body

application/json

telegram_id

integer<int64>

required

Response

Fresh magic-link nonce

expires_at

string<date-time>

required

nonce

string

required

`POST /v1/auth/telegram` — exchange a verified Telegram Login Widget payload for a 7-day session JWT. Unauthenticated; the HMAC over the payload (signed with SHA256(BOT_TOKEN)) is the credential.

⌘I

curl --request POST \
  --url https://api.pegana.xyz/v1/auth/magic/mint \
  --header 'Content-Type: application/json' \
  --header 'x-internal-secret: <x-internal-secret>' \
  --data '
{
  "telegram_id": 123
}
'

{
  "expires_at": "2023-11-07T05:31:56Z",
  "nonce": "<string>"
}