Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.mannco.store/llms.txt

Use this file to discover all available pages before exploring further.

API login (POST /user/login)

Use this to obtain a JWT for all documented routes that require Connected + API.

POST /user/login

Exchanges an API key for a JWT used on subsequent calls.
POST https://api.mannco.store/user/login
Authentication: none (you send the key in the body).

Request body

The router accepts JSON (Content-Type: application/json) or application/x-www-form-urlencoded. Required field:
apiKey
string
required
API key from your Mannco.store account settings.

JSON example

{ "apiKey": "your-api-key" }

Form example

apiKey=your-api-key

Success response

{
  "err": false,
  "success": true,
  "content": {
    "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
  }
}
Use content.jwt (there is no data wrapper).

JWT claims (decoded payload)

ClaimTypeDescription
issstringAlways "API"
substringUser Steam64 ID
expnumberExpiry (Unix), about 31 days after issue
iatnumberIssued-at (Unix)
jtistringToken id
ipstringClient IP at login time
proxybooleanProxy context
APIbooleanAlways true for this flow
countrystringISO country code
steamidstringSteam ID (backend format)
roles / rolesHashRole data

Errors (loginAPI.php)

Response typeTypical HTTPcontent
error300Missing required parameter: apiKey
forbidden403Invalid API key
forbidden403Country blocked

Examples

cURL
curl -X POST https://api.mannco.store/user/login \
  -H "Content-Type: application/json" \
  -d '{"apiKey":"your-api-key"}'
JavaScript
const res = await fetch("https://api.mannco.store/user/login", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({ apiKey: "your-api-key" }),
});
const data = await res.json();
const jwt = data.content.jwt;
Python
import requests

r = requests.post(
    "https://api.mannco.store/user/login",
    json={"apiKey": "your-api-key"},
)
data = r.json()
jwt = data["content"]["jwt"]
Store the JWT securely. When it expires, call POST /user/login again with your API key.

Using the JWT

For endpoints that require Connected + API, send: 
Authorization: Bearer <jwt>
The server may also accept a session cookie in browser contexts; for API clients, Bearer is the intended method.

IP binding

The JWT is tied to the IP address at login. If your client IP changes (VPN, mobile network, proxy), requests may fail authentication. Use a stable egress IP or the same network as when you obtained the token.

Routes without a logged-in user

Some routes only have the api filter (no connected). Public item endpoints may work without a Bearer token. GET /user/store/ does not require a user JWT. For your account data, always send the Bearer token from POST /user/login.

2FA vs API JWT

Server routes marked with 2fa accept a JWT from POST /user/login without sending a 2FA header: requires2FA succeeds when isAPI is true. If you use a web session instead of the API JWT, 2FA rules apply as on the website.