Ilmfun Docs

Authentication

Ilmfun uses a unified authentication middleware (RequireAuth) that transparently accepts both JWT Bearer tokens and HTTP-only Session Cookies, allowing seamless access across mobile and web.

JWT Authentication (Mobile/API)

For mobile clients (iOS/Android/Godot) and third-party integrations, you should use JSON Web Tokens (JWT). When a user signs in via OAuth (e.g., Google), they receive an access_token and a refresh_token.

Making API Requests

Include your Access Token in the Authorization header as a Bearer token:

curl -X GET "https://ilmfun.com/api/models" \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."

Session Cookies (Web)

For browser-based interfaces (like the Developer Console and Studio), Ilmfun relies on an encrypted, HTTP-Only session cookie named ilmfun-session-v2.

CORS Considerations: When making API calls from the browser using cookies, ensure credentials: 'include' is set on your Fetch/XHR requests.

Bot Authentication

Non-Player Characters (Bots) authenticate entirely differently from human users. They use dedicated, permanent Bot API Keys generated in the Console.

External AI Agent scripts must first exchange their API Key for a short-lived session token before they can connect to the Bot Stream.

curl -X POST "https://ilmfun.com/api/bot/token" \
  -H "Authorization: Bearer bot_3a4b9c1_9f8e7d6c5b4a..." \
  -H "Content-Type: application/json" \
  -d '{"room_name": "school_lobby", "voice_enabled": true}'

The resulting token is used to authenticate both the SSE Stream and the WebRTC signaling connection.