Authentication
Mesachat uses Clerk for authentication. API requests require a valid session token or API key.
Authentication Methods
Session Token (Web UI)
When using the Mesachat web interface, authentication is handled automatically via Clerk session cookies.
Bearer Token (API)
For programmatic access, include a Bearer token in the Authorization header:
curl -H "Authorization: Bearer $CLERK_SESSION_TOKEN" \
https://api.mesa.chat/api/bots
Telegram Login Widget
Telegram users can authenticate via the Telegram Login Widget for web access:
POST /api/auth/telegram
Getting a Token
From Clerk Dashboard
- Log in to your Mesachat deployment
- Use browser devtools to extract the session token from Clerk
- Include in API requests as
Authorization: Bearer <token>
Programmatic Access
For server-to-server communication, use Clerk's Backend API to generate session tokens.
Endpoint Authorization
After authentication, Mesachat checks authorization using the dual ReBAC + ABAC system:
- Identity — Who is the user? (Clerk)
- Relationships — What can they access? (OpenFGA)
- Policies — Under what conditions? (Cerbos)
Unauthenticated Endpoints
Some endpoints work without authentication:
| Endpoint | Method | Purpose |
|---|---|---|
/api/system/health | GET | Health check |
/webhooks/telegram/:botId | POST | Telegram webhook receiver |
/webhooks/clerk | POST | Clerk webhook receiver |