API Overview
Base URL, authentication model, rate limiting, error format, and endpoint groups for the MyClaude REST API.
The MyClaude API is a REST interface for the Claude Code ecosystem marketplace. Every product listing, purchase, download, and social interaction on myclaude.sh flows through these endpoints.
Base URL
https://myclaude.sh/apiAll paths in this documentation are relative to this base. For example, POST /products/download means POST https://myclaude.sh/api/products/download.
Authentication
MyClaude uses Firebase Authentication with JWT bearer tokens. Every authenticated request must include a valid ID token in the Authorization header.
Authorization: Bearer <firebase-id-token>Obtaining a token
| Method | How |
|---|---|
| CLI | Run myclaude login -- the CLI stores and refreshes your token automatically |
| Web app | The Firebase Client SDK returns a token via getIdToken() after sign-in |
| Programmatic | Exchange Firebase credentials using the Firebase Auth REST API |
The server calls admin.auth().verifyIdToken(token) on every authenticated route. Expired or malformed tokens return 401.
Some endpoints also require email verification (email_verified: true on the decoded token). These are noted per-endpoint in the reference pages.
Ban enforcement
After token verification, the server checks whether the authenticated user is banned. Banned users receive 403 Forbidden on all mutation endpoints.
Endpoint groups
| Group | Base path | Auth | Description |
|---|---|---|---|
| Products | /products/* | Most routes | Upload, scan, download, like, review, approve |
| Users | /users/* | Required | Profile updates, follow/unfollow, account deletion |
| Payments | /stripe/* | Required | Checkout, Stripe Connect onboarding, webhooks |
| Downloads | /products/download | Required | Signed URL generation for product files |
| CLI | /cli/* | Varies | Search (public), create product (auth), profile (auth) |
| System | /health | None | Health check |
CLI endpoints
The CLI endpoints mirror web functionality but are optimized for command-line usage.
| Endpoint | Method | Auth | Description |
|---|---|---|---|
/cli/products/search | GET | None | Search published products with filters |
/cli/products/create | POST | Required | Create or update a product listing |
/cli/auth/profile | GET | Required | Return authenticated user profile |
System endpoints
| Endpoint | Method | Auth | Description |
|---|---|---|---|
/health | GET | None | Returns { status: "ok" } when Firebase and Stripe are reachable |
Rate limiting
All endpoints are rate-limited per IP address within a 60-second sliding window. MyClaude uses two rate limiting strategies.
| Strategy | Behavior on limit failure | Used on |
|---|---|---|
| Standard | Fail-open (allows request if limiter is unavailable) | Read endpoints, search |
| Strict | Fail-closed (blocks request if limiter is unavailable) | Checkout, upload, delete account, mutations |
Rate limits by endpoint
| Endpoint | Limit | Strategy |
|---|---|---|
POST /stripe/checkout | 10/min | Strict |
POST /products/download | 30/min | Strict |
POST /products/upload | 10/min | Strict |
POST /products/scan | 10/min | Strict |
POST /products/like | 30/min | Strict |
GET /products/reviews | 30/min | Standard |
POST /products/reviews | 5/min | Strict |
POST /products/self-approve | 20/min | Strict |
POST /users/update-profile | 5/min | Strict |
POST /users/follow | 30/min | Strict |
DELETE /users/delete-account | 1/min | Strict |
POST /stripe/connect | 5/min | Strict |
POST /reports | 10/min | Strict |
GET /messages | 60/min | Standard |
POST /messages | 20/min | Strict |
GET /messages/:id | 60/min | Standard |
GET /cli/products/search | 30/min | Standard |
GET /cli/auth/profile | 30/min | Standard |
POST /cli/products/create | 5/min | Strict |
When rate-limited, the API returns:
{
"error": "Too many requests"
}Status: 429 Too Many Requests
Header: Retry-After: <seconds>
Error response format
All errors follow a consistent JSON structure:
{
"error": "Human-readable error message"
}Some validation endpoints include additional detail:
{
"error": "Content policy violation",
"issues": ["Description of issue 1", "Description of issue 2"]
}HTTP status codes
| Code | Meaning | When |
|---|---|---|
200 | Success | Request completed |
400 | Bad Request | Missing or invalid parameters, business rule violation |
401 | Unauthorized | Missing or invalid bearer token |
403 | Forbidden | Valid token but insufficient permissions, or user is banned |
404 | Not Found | Resource does not exist or is not published |
409 | Conflict | Duplicate action (already purchased, already reviewed, username taken) |
429 | Too Many Requests | Rate limit exceeded |
500 | Internal Server Error | Unexpected server failure |
503 | Service Unavailable | Dependency unavailable (Stripe, Firestore) or strict rate limiter failure |
OpenAPI specification
A machine-readable OpenAPI 3.1 specification is available at:
https://myclaude.sh/specs/openapi.yamlContent types
All request and response bodies use application/json unless otherwise noted. File uploads use presigned URLs rather than multipart form data -- see the upload flow for details.
Related pages
- Products API Reference -- Upload, search, like, review, approve
- Users API Reference -- Profile, follow, account deletion
- Payments API Reference -- Checkout, Stripe Connect, webhooks
- Downloads API Reference -- Signed URL download flow
- Security Model -- Architecture-level security details