The public API uses app tokens (JWT) created in the Karzoun Developer dashboard.
-H "x-app-token: YOUR_APP_TOKEN_JWT"POST/graphql
Every GraphQL request is a JSON POST with your token in headers.
| Header | Required | Description |
|---|---|---|
x-app-token | Yes | App JWT from Developer → Apps |
Content-Type | Yes | application/json |
Apps can be scoped to user groups or allowed for all users. Create apps with the minimum permissions needed for your integration.
query {
currentUser {
_id
email
}
}curl -X POST 'https://YOUR_SUBDOMAIN.api.karzoun.chat/graphql' \
-H 'Content-Type: application/json' \
-H 'x-app-token: YOUR_APP_TOKEN' \
-d '{"query":"query { currentUser { _id email } }"}'Verify your token
Use the currentUser query to confirm authentication before building integrations.
- Never expose app tokens in browser-side code
- Use MCP and server-side agents with tokens on the backend only
- Rotate tokens by creating a new app and revoking the old one