API Overview

Authentication

Lezu supports browser sign-in for people and scoped API keys for automation.

User Sessions

Use session routes when building browser-based flows:

POST /v1/auth/sign-up
POST /v1/auth/verify-email
POST /v1/auth/resend-verification
POST /v1/auth/sign-in
POST /v1/auth/sign-out
POST /v1/auth/forgot-password
POST /v1/auth/reset-password
GET  /v1/auth/session
GET  /v1/users/me

Browser session calls use a secure HttpOnly cookie. Frontend clients should send requests with credentials enabled:

await fetch("https://api.lezu.app/v1/auth/session", {
  credentials: "include"
});

Session cookies are accepted only from configured Lezu dashboard origins. Unsafe browser requests such as sign-in, sign-out, imports, releases, and API-key management must include an allowed Origin header.

Sign-up request:

{
  "email": "developer@example.com",
  "password": "a-long-password",
  "name": "Developer"
}

Sign-up creates an unverified user and sends an email verification link. It does
not create a browser session until the verification token is submitted:

POST /v1/auth/verify-email

Password reset is email-token based:

POST /v1/auth/forgot-password
POST /v1/auth/reset-password

API Keys

Use API keys for scripts, CI jobs, backend services, and external integrations.

Authorization: ApiKey lez_...

Create an API key:

POST /v1/api-keys
Authorization: ApiKey lez_...
Content-Type: application/json

{
  "name": "Production import job",
  "scopes": ["i18n:read", "i18n:write", "translate:read", "translate:write"]
}

The raw token is shown once when the key is created. Store it securely in your own password manager, CI secret store, or deployment platform.

Common Scopes