URL format

All Keybase URL's look like this:<command>.json

POST requests

You must include a csrf_token with all POST requests (except signup). You can send this token either in your post data (as "csrf_token") or in your http headers (as "X-CSRF-Token"). In turn, all requests reply with a csrf token. For example, this is how you'd perform a login. It requires two API calls:

  1. GET /salt - request a salt for the given user's username (and get a csrf token)
  2. calculate a password hash in the client (a function of password & salt)
  3. POST /login - including the hash and csrf_token


API requests which require a logged in user must provide a session cookie for the user.

Pssst, we're hiring.