Overview
FoN supports multiple authentication methods to suit different use cases. Choose the method that best fits your needs.
Authentication Methods
Session Cookies
When you log in through the web interface, a secure HTTP-only cookie (auth-token) is set. This cookie is automatically sent with subsequent requests.
Session cookies are ideal for browser-based applications and are automatically managed by the browser.
JWT Tokens
JSON Web Tokens are returned when you authenticate via the API. They’re valid for 24 hours.
curl -X POST https://api.fucksornot.com/api/auth \
-H "Content-Type: application/json" \
-d '{
"action": "login",
"email": "[email protected]",
"password": "your_password"
}'
{
"user": {
"id": "uuid",
"username": "yourname",
"email": "[email protected]"
},
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"mfaRequired": false
}
Authorization header:
curl https://api.fucksornot.com/api/profile \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
API Tokens
API tokens are long-lived tokens designed for programmatic access. They’re ideal for scripts, bots, and integrations.
Generate a Token
curl -X POST https://api.fucksornot.com/api/auth/tokens/generate \
-H "Authorization: Bearer YOUR_JWT_TOKEN" \
-H "Content-Type: application/json" \
-d '{"name": "Upload Script"}'
{
"id": "token-uuid",
"token": "fon_live_abc123...",
"name": "Upload Script",
"expiresAt": "2026-01-24T00:00:00Z"
}
Store your API token securely. It’s only displayed once and cannot be retrieved later.
Use the Token
curl -X POST https://api.fucksornot.com/api/v1/upload \
-H "Authorization: Bearer fon_live_abc123..." \
-F "upload_type=image" \
-F "description=My upload" \
-F "[email protected]"
Revoke a Token
curl -X DELETE https://api.fucksornot.com/api/auth/tokens/TOKEN_ID \
-H "Authorization: Bearer YOUR_JWT_TOKEN"
OAuth
FoN supports OAuth authentication with:
- Google
- Apple
- Meta (Facebook)
OAuth flows are handled through the web interface. After successful OAuth authentication, a session is established with a JWT token.
Multi-Factor Authentication (MFA)
For enhanced security, enable MFA on your account.
Setup MFA
curl -X POST https://api.fucksornot.com/api/auth/mfa/setup \
-H "Authorization: Bearer YOUR_JWT_TOKEN"
{
"qrCode": "data:image/png;base64,...",
"secret": "JBSWY3DPEHPK3PXP",
"backupCodes": [
"abc123def456",
"ghi789jkl012"
]
}
Scan QR Code
Use an authenticator app (Google Authenticator, Authy, etc.) to scan the QR code
Verify Setup
Enter a code from your authenticator to verify setup:curl -X POST https://api.fucksornot.com/api/auth/mfa/verify \
-H "Authorization: Bearer YOUR_JWT_TOKEN" \
-H "Content-Type: application/json" \
-d '{"mfaCode": "123456"}'
Save Backup Codes
Store your backup codes securely. They can be used if you lose access to your authenticator.
Login with MFA
When MFA is enabled, include the code in your login request:
curl -X POST https://api.fucksornot.com/api/auth \
-H "Content-Type: application/json" \
-d '{
"action": "login",
"email": "[email protected]",
"password": "your_password",
"mfaCode": "123456"
}'
Password Management
Change Password
curl -X POST https://api.fucksornot.com/api/auth/change-password \
-H "Authorization: Bearer YOUR_JWT_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"currentPassword": "old_password",
"newPassword": "new_password",
"confirmPassword": "new_password",
"mfaCode": "123456"
}'
Reset Password
Request a password reset email:
curl -X POST https://api.fucksornot.com/api/auth/forgot-password \
-H "Content-Type: application/json" \
-d '{"email": "[email protected]"}'
curl -X POST https://api.fucksornot.com/api/auth/reset-password \
-H "Content-Type: application/json" \
-d '{
"token": "reset_token_from_email",
"newPassword": "new_password",
"confirmPassword": "new_password"
}'
Security Best Practices
Use API tokens for automation
API tokens are designed for programmatic access and can be revoked individually without affecting your main account.
Multi-factor authentication adds an extra layer of security to your account.
Periodically generate new API tokens and revoke old ones.
Never commit tokens to version control
Use environment variables or secret management tools to store tokens.