All Keybase URL's look like this:
You must include a
csrf_token with all POST requests (except signup). You can send this token
either in your post data (as "csrf_token") or in your http headers (as "X-CSRF-Token"). In turn,
all requests reply with a csrf token. For example, this is how you'd perform a login. It requires
two API calls:
- GET /salt - request a salt for the given user's username (and get a csrf token)
- calculate a password hash in the client (a function of password & salt)
- POST /login - including the hash and csrf_token
API requests which require a logged in user must provide a session cookie for the user.
Pssst, we're hiring.