Skip to main content
PUT
/
v1
/
end-users
/
{endUserId}
/
credentials
Set credentials
curl --request PUT \
  --url https://api.example.com/v1/end-users/{endUserId}/credentials \
  --header 'Content-Type: application/json' \
  --data '
{
  "twitterAuthToken": "<string>",
  "twitterCt0": "<string>",
  "redditSession": "<string>",
  "tiktokSessionId": "<string>",
  "tiktokCsrfToken": "<string>",
  "instagramSessionId": "<string>",
  "instagramCsrfToken": "<string>",
  "instagramDsUserId": "<string>"
}
'
{
  "ok": true
}

Path parameters

endUserId
string
required
Opaque identifier for the end-user. Must be ≤ 256 characters.

Request body

All fields are optional — include only the platforms you want to set or update. Existing credentials for platforms you don’t mention stay in place.
twitterAuthToken
string
twitterCt0
string
redditSession
string
tiktokSessionId
string
tiktokCsrfToken
string
instagramSessionId
string
instagramCsrfToken
string
instagramDsUserId
string
See Platforms for where to find each cookie in your browser.

Response — 200 OK

ok
boolean
Always true on success.

Example

curl "$API_BASE/end-users/alice/credentials" -X PUT \
  -H "Authorization: Bearer $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "twitterAuthToken": "...",
    "twitterCt0": "..."
  }'

Security notes

  • Credentials are KMS-encrypted at rest with a key that only the stablebrowse workers can decrypt.
  • They’re never returned by any GET endpoint. The status endpoint returns only “configured: true/false” flags.
  • They’re scoped to (businessId, endUserId). Two businesses can both have an alice end-user with independent credentials.
  • On suspicion of leak, call DELETE /v1/end-users/{endUserId}/credentials and re-upload fresh ones.

Errors

CodeMeaning
400endUserId > 256 chars, invalid JSON body, or no recognized cred fields supplied
401Missing Authorization header
403Revoked API key