Authentication

Every authenticated request to the Surge API uses HTTP Basic auth. There are two credential forms:

Form Username Password Used for
Token the literal string token your API token Everything, day to day
Email + password your email address your password Minting tokens

Minting a token

POST /token with email + password credentials returns a long-lived token:

curl -X POST https://surge.surge.sh/token -u you@example.com:password
{
  "email": "you@example.com",
  "token": "6b1a5b7d0f8e4c…"
}

Tokens are valid for three years. Use the token for all subsequent requests:

curl https://surge.surge.sh/account -u token:6b1a5b7d0f8e4c…

This is the same token that surge login stores in your ~/.netrc, and that surge token prints—so for scripting against the API you can simply reuse the CLI's token.

Account creation

There is no separate signup endpoint. Authenticating with an email address that has no account creates the account with that email and password. This is how the CLI's first surge run registers you, and it applies to POST /token as well: mint a token with fresh credentials and you've created an account.

The account object

GET /account returns the authenticated account, including plan and card status:

{
  "email": "you@example.com",
  "email_verified_at": "2026-05-01T18:22:10.000Z",
  "created_at": "2024-01-15T09:30:00.000Z",
  "plan": { "name": "Standard" },
  "card": null
}

A 401 here means the token is expired or revoked—mint a new one.

Email verification

POST /verification (authenticated) sends a verification link to the account's email address:

  • 200 { "verified": true } — already verified, nothing sent.
  • 201 { "verified": false, "sent": true } — verification email sent.
  • 200 { "verified": false, "sent": false, "msg": "…" } — an email was already sent within the last five minutes.

Unverified accounts operate under tighter publish rate limits, so verify early.

Password reset

POST /token/reset/:email (no authentication) sends password reset instructions:

curl -X POST https://surge.surge.sh/token/reset/you@example.com

Always responds 201, whether or not the email matches an account.