Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.edge.glitchexecutor.com/llms.txt

Use this file to discover all available pages before exploring further.

The Glitch Edge API supports two authentication paths. Same routes, same shapes; the auth header just changes. The SPA at /app/ sets a glitch_edge_session HTTP-only cookie scoped to .glitchexecutor.com. Every browser request to /api/* carries it automatically. Cookie auth is opaque to you — you never see the JWT. 
# in a browser fetch() the cookie is sent automatically:
fetch('/api/v1/me', { credentials: 'include' })

2. Personal API key (scripts + MCP)

Generate from in the app. Token format: 
gle_<8 alnum>.<32 alnum>
The token is shown once at creation. If you lose it, revoke + create a new one.
Treat tokens like passwords. One token = full access to the owner’s account. Glitch Edge will never ask you to share a token over chat / email.

Using a token

Pass it as a Bearer token in the Authorization header: 
curl -H "Authorization: Bearer gle_xxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
  https://edge.glitchexecutor.com/api/v1/me
Python
import httpx

token = "gle_xxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
r = httpx.get(
    "https://edge.glitchexecutor.com/api/v1/me",
    headers={"Authorization": f"Bearer {token}"},
)
print(r.json())
TypeScript / Node
const token = "gle_xxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
const r = await fetch("https://edge.glitchexecutor.com/api/v1/me", {
  headers: { Authorization: `Bearer ${token}` },
})
console.log(await r.json())

Token rotation + revocation

  • Revoke any time at Settings → API keys. Existing scripts get 401 invalid_api_key immediately.
  • Last-used timestamp is updated on every authed request — handy for spotting forgotten keys.
  • We never auto-expire tokens, but you can set expires_at via the API on creation if your security model wants finite TTL. (Self-managed; we don’t rotate for you.)

Errors

HTTPcodemeaning
401auth_requiredNo cookie + no Bearer header
401invalid_api_keyBearer was present but malformed / expired / revoked
403(no code)Token resolved to a user that can’t do this action
A bogus Bearer always 401s without falling through to cookie auth — that’s intentional. If your script sends a bad token, you should see the error, not silently fall back.

Logout / sign-out

  • Cookie path: POST /api/v1/auth/logout clears the cookie.
  • API key path: revoke the key. Logging out of a browser session does not affect API keys, and revoking an API key does not log you out of browser sessions.