Skip to main content
API Preview
Developers

Authentication

The way most people sign in is the browser connector. No terminal, no token to paste. The methods below are the developer paths for programmatic access. The ~alter API supports JWT bearer tokens for user sessions, OAuth-bearer capability tokens for agents and MCP access, and x402 micropayment proofs for paid identity queries.

Sign in through the browser connector

In Claude, ChatGPT, Le Chat, or Perplexity, add ~alter as a custom connector at https://mcp.truealter.com, sign in through your browser, and choose your ~handle. Choosing your ~handle is how your account is created. Then use your AI as you normally would.

Sign-in runs over OAuth. The connector registers itself and discovers the sign-in endpoints, so your client walks you through consent and stores the capability token for you. There is no token to copy, and there is no member website to log in to. Your AI client is the surface. The JWT, capability-token, and curl methods below are for building your own programmatic client.

Developer paths

Building your own client against the API directly? These are the three programmatic methods.

JWT Bearer Token
Most API endpoints require a JWT access token obtained via the /auth/login endpoint.
OAuth-bearer capability
Agents and programmatic clients authenticate through the OAuth-bearer capability ladder.
x402 Micropayment
Paid MCP tools and credential queries require x402 payment proof.

JWT Bearer Tokens

Most API endpoints require a JWT access token obtained via the /auth/login endpoint. Access tokens expire after 6 hours. Refresh tokens are set as HttpOnly cookies with 7-day expiry.

Access tokens use RS256 (RSA with SHA-256) signing

Refresh tokens are rotated on each use (old token is revoked)

Passwords are hashed with Argon2id - never bcrypt or scrypt

MFA (TOTP) is supported as an optional second factor

bash
Authorization: Bearer <access_token>

Registration

Create a new account. On success the endpoint returns the user object. You can then log in to obtain tokens.

curl -X POST https://mcp.truealter.com/api/v1/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "email": "you@example.com",
    "password": "your-secure-password", // pragma: allowlist secret
    "full_name": "Jane Smith"
  }'

# 201 Created
# {
#   "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
#   "email": "you@example.com",
#   "full_name": "Jane Smith",
#   "role": "member"
# }

Request Body

NameTypeDescription
email*stringValid email address. Must be unique across the platform.
password*stringMinimum 8 characters. Hashed with Argon2id server-side.
full_name*stringDisplay name for the user profile.

Login

Exchange credentials for a JWT access token and an HttpOnly refresh cookie. The access token is returned in the response body; the refresh token is set as a Set-Cookie header with HttpOnly; Secure; SameSite=Lax flags.

curl -X POST https://mcp.truealter.com/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "you@example.com", "password": "your-secure-password"}'

# 200 OK
# {
#   "access_token": "eyJhbGciOiJFUzI1NiIs...",
#   "token_type": "bearer"
# }
# Set-Cookie: refresh_token=...; HttpOnly; Secure; SameSite=Lax; Max-Age=604800

Token Refresh

When the access token expires, use the refresh endpoint to obtain a new pair. The browser sends the refresh cookie automatically. The old refresh token is revoked and a new one is issued (rotation).

# The refresh token cookie must be included in the request
curl -X POST https://mcp.truealter.com/api/v1/auth/refresh \
  -b "refresh_token=your_refresh_token_value"

# 200 OK
# {
#   "access_token": "eyJhbGciOiJFUzI1NiIs...(new)...",
#   "token_type": "bearer"
# }
# Set-Cookie: refresh_token=...(new)...; HttpOnly; Secure; SameSite=Lax

Token lifecycle: Access tokens expire after 6 hours. Refresh tokens expire after 7 days. Each refresh rotates both tokens. If the refresh token is expired or revoked, the user must log in again.

OAuth-bearer capability authentication

Agents and programmatic clients authenticate through the OAuth-bearer capability ladder. Connect via OAuth, then receive a capability token (cap-JWT) scoped per tool with explicit consent. The token travels in the Authorization header as a bearer credential. Rate limits are set per authenticated role, not by a free/pro split: a member capability allows 120 requests/minute and 5,000/day, while unauthenticated requests run in the lowest bucket at 40/minute and 20,000/day.

Member capability: 120 requests/minute, 5,000 requests/day

Org viewer and auditor capabilities: 60 requests/minute, 2,000 requests/day

Unauthenticated: 40 requests/minute, 20,000 requests/day

Each capability token is scoped per tool, with consent granted explicitly and revocable at any time

bash
Authorization: Bearer <capability_token>

Using a capability token

A capability token travels in the same Authorization header as a JWT access token. Connect via OAuth, receive a token scoped per tool with explicit consent, then present it as a bearer credential. The server reads the token's scope to decide which tools the call may reach.

curl https://mcp.truealter.com/api/v1/me \
  -H "Authorization: Bearer eyJhbGciOiJFUzI1NiIs..."

Multi-Factor Authentication (TOTP)

~alter supports TOTP-based multi-factor authentication as an optional second factor. Once enabled, login requires both credentials and a 6-digit code from an authenticator app.

Setting up MFA

Call the MFA setup endpoint to receive a TOTP secret and provisioning URI. Register the secret in your authenticator app (Google Authenticator, Authy, 1Password, etc.), then verify with a code to activate MFA.

# Step 1: Request TOTP secret
curl -X POST https://mcp.truealter.com/api/v1/auth/mfa/setup \
  -H "Authorization: Bearer eyJhbGciOiJFUzI1NiIs..."

# 200 OK
# {
#   "secret": "JBSWY3DPEHPK3PXP", // pragma: allowlist secret
#   "provisioning_uri": "otpauth://totp/~Alter:you@example.com?secret=JBSWY3DPEHPK3PXP&issuer=~Alter"
# }

# Step 2: Verify with a code from your authenticator app
curl -X POST https://mcp.truealter.com/api/v1/auth/mfa/verify \
  -H "Authorization: Bearer eyJhbGciOiJFUzI1NiIs..." \
  -H "Content-Type: application/json" \
  -d '{"code": "123456"}'

# 200 OK
# { "mfa_enabled": true }

Logging in with MFA

When MFA is enabled, the login endpoint returns a mfa_required: true response instead of tokens. Submit the TOTP code to complete authentication.

json
// Initial login response when MFA is enabled
{
  "mfa_required": true,
  "mfa_token": "temp_mfa_abc123..."
}

// Complete MFA
POST /auth/mfa/challenge
{
  "mfa_token": "temp_mfa_abc123...",
  "code": "123456"
}

// Returns the normal token response
{
  "access_token": "eyJhbGciOiJFUzI1NiIs...",
  "token_type": "bearer"
}

Collective single sign-on

Collective accounts can federate sign-on with their own identity provider. This is configured at the collective level, outside the agent-facing surface documented here. SSO-authenticated users receive the same JWT access tokens as password-authenticated users, so every call below works identically. Collective admins can reach support@truealter.com to set it up.

x402 Micropayment Authentication

Paid MCP tools and credential queries require x402 payment proof. Include a _payment object in the tool arguments with a valid payment receipt. x402 carries payment only: the call still authenticates via OAuth-bearer or login. 75% of each payment accrues to the data subject; indicative only, server-authoritative at settlement.

Each verified identity gets a one-time free allowance sized to its tier; a free read earns the data subject recognition, a paid read earns Identity Income

Prices range from $0.01 to $1.00 per invocation

All transactions recorded for Identity Income distribution

json
// x402 payment in MCP tool arguments
{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "tools/call",
  "params": {
    "name": "query_trait_profile",
    "arguments": {
      "member_id": "a1b2c3d4-...",
      "_payment": {
        "protocol": "x402",
        "amount": "0.20",
        "currency": "USD",
        "receipt": "x402_receipt_abc123..."
      }
    }
  }
}

When a paid tool is called without payment, the server returns HTTP 402 Payment Required (or JSON-RPC error code -32000) with pricing metadata. See the Error Reference for details.

Docs | ~alter