API Documentation

Welcome to the Erodea Hub API. This API allows your external platforms to communicate with the hub for user synchronization, logging, status checks, and security verification.

Base URL https://hub.eordea.it/api/v1

What are API Keys?

API keys are unique tokens used to authenticate requests from your external platforms to the Erodea Hub. Each platform can have multiple API keys with different permissions and rate limits.

Key Characteristics

Keys start with the prefix ero_ followed by a 64-character hex string
Keys are shown only once at creation — copy and store them securely
Keys are stored as SHA-256 hashes in our database
Each key has configurable permissions and rate limits
Keys can be revoked instantly from the dashboard

How to Generate a Key

Log into your dashboard at hub.eordea.it
Navigate to your platform
Click "API Keys" → "Generate New Key"
Set a name, permissions, and rate limit
Copy the key immediately — it won't be shown again

Authentication

All API requests (except /health) must include a valid API key. You can provide it in two ways:

Option 1: Authorization Header (Recommended)

HTTP Header

Authorization: Bearer ero_your_api_key_here

Option 2: X-API-Key Header

HTTP Header

X-API-Key: ero_your_api_key_here

Endpoints

GET /api/v1/health

Check if the Hub is online. No authentication required.

Response 200

{
  "status": "ok",
  "service": "Erodea Hub",
  "version": "1.0.0",
  "timestamp": "2026-02-23T10:00:00+00:00"
}

GET /api/v1/status

Get current status and settings of your platform.

Response 200

{
  "platform": "My App",
  "slug": "my-app",
  "is_active": true,
  "maintenance_mode": false,
  "block_registrations": false,
  "require_verification": true,
  "synced_users": 1523
}

POST /api/v1/sync-user

Sync a single user from your platform. Creates or updates.

Permission required: sync_users

Request Body

{
  "external_id": "usr_12345",
  "username": "john_doe",
  "email": "john@example.com",
  "nickname": "Johnny",
  "account_type": "premium",
  "is_verified": true,
  "metadata": {"plan": "pro", "region": "EU"},
  "cookie_accepted_at": "2026-01-15T08:30:00"
}

Response 200

{
  "success": true,
  "action": "created",
  "external_id": "usr_12345",
  "synced_at": "2026-02-23T10:05:00+00:00"
}

POST /api/v1/sync-users

Batch sync up to 100 users at once.

Request Body

{
  "users": [
    {"external_id": "1", "username": "alice", "email": "alice@ex.com"},
    {"external_id": "2", "username": "bob", "email": "bob@ex.com"}
  ]
}

POST /api/v1/log

Send a custom log entry from your platform.

Permission required: send_logs

Request Body

{
  "method": "POST",
  "endpoint": "/users/register",
  "ip_address": "203.0.113.50",
  "status_code": 201,
  "message": "New user registered",
  "response_time_ms": 145.3
}

POST /api/v1/report-user

Submit a user report/flag.

Request Body

{
  "external_user_id": "usr_99",
  "reporter_id": "usr_10",
  "report_type": "spam",
  "description": "Sending unsolicited messages"
}

GET /api/v1/check-ip?ip=203.0.113.50

Check if an IP is banned globally or for your platform.

Response 200

{
  "ip": "203.0.113.50",
  "is_banned_global": false,
  "is_banned_platform": true,
  "is_banned": true
}

Error Codes

Code	Meaning	Description
`AUTH_MISSING`	401	No API key provided in headers
`AUTH_INVALID`	401	API key does not match any active key
`AUTH_REVOKED`	401	API key has been revoked
`IP_BANNED`	403	IP is globally banned
`IP_BANNED_PLATFORM`	403	IP is banned for this platform
`PLATFORM_SUSPENDED`	403	Platform is suspended or inactive
`PERM_DENIED`	403	API key lacks required permission
`RATE_LIMIT`	429	Too many requests for this key
`MAINTENANCE`	503	Platform is in maintenance mode
`INVALID_BODY`	400	Invalid or missing JSON body
`MISSING_FIELD`	400	Required field missing

Code Examples

Python

Python — requests

import requests

API_KEY = "ero_your_key_here"
BASE = "https://hub.eordea.it/api/v1"
headers = {"Authorization": f"Bearer {API_KEY}", "Content-Type": "application/json"}

# Sync a user
resp = requests.post(f"{BASE}/sync-user", json={
    "external_id": "12345",
    "username": "mario_rossi",
    "email": "mario@example.com",
    "is_verified": True
}, headers=headers)

print(resp.json())

JavaScript (Node.js)

Node.js — fetch

const API_KEY = 'ero_your_key_here';
const BASE = 'https://hub.eordea.it/api/v1';

const response = await fetch(`${BASE}/sync-user`, {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${API_KEY}`,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    external_id: '12345',
    username: 'mario_rossi',
    email: 'mario@example.com',
    is_verified: true
  })
});

const data = await response.json();
console.log(data);

cURL

curl -X POST https://hub.eordea.it/api/v1/sync-user \
  -H "Authorization: Bearer ero_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{"external_id":"12345","username":"mario_rossi","email":"mario@example.com"}'

PHP

PHP — cURL

$apiKey = 'ero_your_key_here';
$url = 'https://hub.eordea.it/api/v1/sync-user';

$ch = curl_init($url);
curl_setopt_array($ch, [
    CURLOPT_POST => true,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HTTPHEADER => [
        "Authorization: Bearer $apiKey",
        "Content-Type: application/json"
    ],
    CURLOPT_POSTFIELDS => json_encode([
        'external_id' => '12345',
        'username' => 'mario_rossi',
        'email' => 'mario@example.com'
    ])
]);
$response = curl_exec($ch);
echo $response;

Security Rules

Important Security Guidelines

Never expose API keys in client-side code, repositories, or logs
Always use HTTPS for all API requests
Rotate API keys periodically and revoke unused ones
Use the minimum permissions needed for each key
Monitor your request logs for unusual activity
Set appropriate rate limits for each key
If a key is compromised, revoke it immediately from the dashboard