API Overview

API Reference
Complete documentation for the Cliqer API, covering REST endpoints and WebSocket realtime communication.
Base URL
http://preview.cliqer.io/apiAll API endpoints are relative to the base URL of the Cliqer server you're connecting to.
$BASE_URL with your Cliqer instance URL (e.g., http://preview.cliqer.io). For WebSocket examples, replace $WS_URL with wss://preview.cliqer.io. TypeScript examples use relative paths and work without modification.Authentication
Cliqer authenticates with an httpOnly session cookie (session_token), minted by POST /api/auth/login. Browsers send it automatically; server-to-server tooling keeps it in a cookie jar. Studio and Enterprise teams can also mint API keys for server-to-server use, sent as Authorization: Bearer cliqer_<key> (key management requires the Studio or Enterprise plan).
# The session cookie is set by /api/auth/login and sent on every subsequent request
Cookie: session_token=YOUR_SESSION_TOKEN
# Or authenticate a server-to-server request with a team API key
Authorization: Bearer cliqer_<key>
A few endpoints need no session: POST /api/licenses/validate is public, and GET /api/turn-credentials is gated by an Origin allow-list rather than a session.
API Sections
Request Lifecycle
Error Responses
All endpoints return standard error responses:
| Status | Description |
|---|---|
400 | Bad Request - Missing or invalid parameters |
401 | Unauthorized - No valid session cookie |
403 | Forbidden - Insufficient permissions or disallowed origin |
404 | Not Found - Resource not found |
409 | Conflict - e.g. license activation seat limit reached |
429 | Too Many Requests - Rate limit exceeded (see Retry-After) |
500 | Internal Server Error |
Error Response Format:
{
"statusCode": 400,
"statusMessage": "Description of the error"
}
Rate Limiting
Most endpoints are rate-limited per client IP by Cloudflare's native rate-limiting, using a fixed 60-second window across three tiers. When a request exceeds the limit the server responds 429 Too Many Requests with a Retry-After: 60 header. There is no progressive/exponential blocking, and no X-RateLimit-Remaining header is returned.
| Header | Description |
|---|---|
Retry-After | Seconds until the window resets (60, sent only on a 429) |
Rate Limit Tiers
| Tier | Requests / 60s | Applied to |
|---|---|---|
| Strict | 5 | POST /api/licenses/validate, POST /api/connections/rooms/{roomId}/close |
| Standard | 30 | GET /api/licenses/status, POST /api/licenses/deactivate, GET /api/connections/active, POST /api/connections/{id}/kick, POST /api/connections/rooms/{roomId}/broadcast, auth endpoints |
| Relaxed | 60 | High-volume read endpoints |
POST /api/licenses/validate additionally applies a second Strict limit keyed on the license_key itself, so one key cannot be hammered across many IPs. GET /api/turn-credentials is not rate-limited (it is gated by an Origin allow-list instead).
429 for the remainder of the 60-second window. Rate limits are enforced by Cloudflare at the edge.