Authentication

Every request to the Zander API must be authenticated. The mechanism is simple: a single shared key configured once in your .env file and referenced in each plugin's config.yml.

API Key

The Zander API uses a shared API key for all requests from Minecraft plugins and other backend consumers.

Set the key in your .env file:

apiKey=your-secret-api-key-here

The same key must be added to each plugin's config.yml:

APIKey: "your-secret-api-key-here"

Sending Requests

Include the API key in the x-access-token request header:

GET /api/user/get?username=Steve HTTP/1.1
Host: example.com
x-access-token: your-secret-api-key-here

Error Responses

If the header is missing or the token does not match, the API returns:

Missing token:

{
  "success": false,
  "message": "No token provided."
}

Invalid token:

{
  "success": false,
  "message": "Invalid token."
}

Feature-Gated Endpoints

Some endpoints also check whether their associated feature is enabled in features.json. If a feature is disabled, the endpoint returns:

{
  "success": false,
  "message": "This feature has been disabled."
}

Web Session Authentication

The web dashboard uses session-based authentication (cookie-based) managed by the express-session library with a Prisma store. This is separate from the API key and applies only to browser-based dashboard access.

API Key​

Sending Requests​

Error Responses​

Feature-Gated Endpoints​

Web Session Authentication​

API Key

Sending Requests

Error Responses

Feature-Gated Endpoints

Web Session Authentication