Skip to main content
The Denialbase API is organized around REST. Requests accept JSON-encoded bodies, return JSON-encoded responses, and use standard HTTP status codes, authentication, and verbs.

Base URL

https://api.denialbase.com/api/v1

Authentication

Denialbase uses httpOnly cookie-based JWT authentication. See Authentication for the full flow.
Never use localStorage or Bearer tokens from client-side JavaScript — all session cookies are httpOnly and Secure. If you need programmatic access outside a browser, see API tokens.

Supported authentication factors

  • Password (12+ chars, zxcvbn score ≥ 3)
  • TOTP (RFC 6238)
  • Passkeys (WebAuthn / FIDO2)
  • Magic links (email-based, short TTL)
  • Google OAuth 2.1

Rate limits

Endpoint groupLimit
Auth (login, 2FA)5 req / 20 s per IP
Read endpoints300 req / minute per user
Write endpoints60 req / minute per user
File uploads30 req / minute per user
Rate limits are enforced by Rack::Attack backed by Memorystore Redis and return 429 Too Many Requests with a Retry-After header. See Rate Limits for more detail.

Versioning

The API is versioned via URL prefix (/api/v1). Breaking changes ship as a new version; non-breaking additions (new fields, new endpoints) are added to the current version without a new URL.

SDKs

We don’t publish official SDKs yet. The OpenAPI spec is available at openapi.yaml — use it to generate a client in your language of choice.

Errors

Denialbase uses conventional HTTP response codes:
CodeMeaning
200OK
201Created
204No Content
400Bad Request — malformed or missing required fields
401Unauthorized — missing or invalid authentication
403Forbidden — authenticated but not authorized
404Not Found
422Unprocessable Entity — validation failed
429Too Many Requests — rate limit hit
5xxServer error — we’re on it