Authentication

Boring uses a two-layer authentication system:

  1. Google OAuth for dashboard access and account management
  2. API Keys for programmatic API access

Dashboard Authentication

Sign In with Google

  1. Visit the Boring Dashboard
  2. Click the "Sign in with Google" button
  3. Choose your Google account
  4. Authorize Boring to access your basic profile information
  5. You'll be redirected back to the dashboard

Once authenticated, your session is valid for 30 days using a JWT token stored in a secure HTTPOnly cookie.

User Profile

After signing in, you'll see your profile information in the top-right corner:

This confirms you're successfully authenticated.

Social Platform Authentication

To publish content, you need to connect your social media accounts.

Connect Facebook Page

  1. Click "Connect Facebook Page" button
  2. Log in to Facebook (if not already logged in)
  3. Select the Facebook Pages you want to connect
  4. Grant the required permissions:
    • pages_show_list - View your pages
    • pages_read_engagement - Read engagement data
    • pages_manage_posts - Publish and manage posts
    • pages_read_user_content - Read page content
  5. Click "Done"

Your Facebook Page token is now stored and never expires.

Connect Instagram Account

  1. Click "Connect Instagram" button
  2. Log in to Instagram (if not already logged in)
  3. Authorize Boring to access your Instagram Business account
  4. Grant the required permissions:
    • instagram_business_basic - Basic account info
    • instagram_business_content_publish - Publish content
    • instagram_business_manage_comments - Manage comments
    • instagram_business_manage_messages - Manage DMs
  5. Click "Authorize"

Your Instagram token is valid for 60 days and is automatically converted from short-lived to long-lived.

Note: Instagram requires a Business or Creator account. Personal accounts are not supported.

Connect Threads Account

  1. Click "Connect Threads" button
  2. Log in to Threads (if not already logged in)
  3. Authorize Boring to access your Threads account
  4. Grant the required permissions:
    • threads_basic - Basic account info
    • threads_content_publish - Publish content
    • threads_manage_replies - Create thread replies
    • threads_manage_insights - Access analytics
    • threads_read_replies - Read replies
  5. Click "Authorize"

Your Threads token is valid for 60 days and automatically refreshes 5 days before expiry.

API Authentication

Using API Keys

All API requests require an API key in the request header:

boring-api-key: boring_xxxxxxxxxxxxx

Generate an API Key

  1. Sign in to the dashboard
  2. Navigate to Settings page
  3. Click "Generate New API Key"
  4. Provide a descriptive name (e.g., "Production Server", "Test Environment")
  5. Copy the generated key (it starts with boring_)
  6. Store it securely - you won't be able to see it again!

Using the API Key

Include the API key in every API request header:

Python Example:

import requests

headers = {
    "boring-api-key": "boring_xxxxxxxxxxxxx",
    "Content-Type": "application/json"
}

response = requests.post(
    "https://boring.aiagent-me.com/v2/posts",
    headers=headers,
    json=data
)

JavaScript Example:

fetch("https://boring.aiagent-me.com/v2/posts", {
  method: "POST",
  headers: {
    "boring-api-key": "boring_xxxxxxxxxxxxx",
    "Content-Type": "application/json"
  },
  body: JSON.stringify(data)
});

cURL Example:

curl -X POST https://boring.aiagent-me.com/v2/posts \
  -H "boring-api-key: boring_xxxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{"post": {...}}'

Account IDs

After connecting your social accounts, each account receives a unique Account ID (UUID format).

Finding Your Account ID

  1. Sign in to the dashboard
  2. View your connected accounts list
  3. Click the "Copy ID" button next to any account
  4. Use this ID in API requests to specify which account to publish to

Example Account ID: a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6

Token Expiration

Platform Token Validity Auto-Refresh
Facebook Never expires N/A
Instagram 60 days Manual re-authorization
Threads 60 days Auto-refresh 5 days before expiry

When a token expires or becomes invalid, you'll need to reconnect the account through the dashboard.

Security Best Practices

  1. Never commit API keys to version control - Use environment variables
  2. Rotate API keys regularly - Generate new keys and delete old ones
  3. Use different keys for different environments - Separate production and testing
  4. Monitor API key usage - Check "Last Used" timestamp in Settings
  5. Deactivate compromised keys immediately - Delete from Settings page

Next Steps

Now that you understand authentication, proceed to: