Skip to main content

AUTHN API Reference

Module Information

Service Files:

  • Private: service/authn.js
  • Public: service/authn.js

Available Services: 5 Documented Services: 5


authn.create

Exchange an HTTP Authorization header credential for a short-lived opaque token. The credential is stored via the authn_store procedure and the generated token is returned to the caller for subsequent authenticated requests.

PropertyValue
ScopeHub (requires hub context)
PermissionAnyone (1)

Endpoint:

https://hostname/-/api/authn.create

Parameters

ParameterTypeRequiredDefaultDescription
AuthorizationstringYes-Standard HTTP Authorization header (e.g. Basic or Bearer scheme). Read from the request header, not the request body.

Returns

FieldTypeDescription
tokenstring22-character opaque authentication token generated by uniqueId(22) and persisted via the authn_store stored procedure

Possible Errors

Error CodeHTTP StatusDescription
UNAUTHORIZED401Authorization header is missing or malformed
INTERNAL_ERROR500Failed to persist token via authn_store procedure

authn.begin

Begin a CLI device-pairing (npm-style login). Creates a pending pairing and returns a device_code the CLI polls with and a short user_code the user approves in the app. Anonymous.

PropertyValue
ScopeHub (requires hub context)
PermissionAnonymous (1)

Endpoint:

https://hostname/-/api/authn.begin

Parameters

ParameterTypeRequiredDefaultDescription
labelstringNo-Human label for the device/session being paired

Returns

FieldTypeDescription
device_codestringSecret handle the CLI polls with
user_codestringShort code the user approves in the app
expiresintegerUnix timestamp when the pairing expires
interval_secondsintegerSuggested poll interval in seconds

authn.poll

Poll a pending CLI pairing by device_code. Returns the minted token once the user has approved it in the app (one-time delivery), otherwise the current status. Anonymous.

PropertyValue
ScopeHub (requires hub context)
PermissionAnonymous (1)

Endpoint:

https://hostname/-/api/authn.poll

Parameters

ParameterTypeRequiredDefaultDescription
device_codestringYes-The device_code returned by authn.begin

Returns

FieldTypeDescription
statusstringpending, approved, expired or unknown
tokenstringThe minted CLI token, present only when status is approved

authn.approve

Approve a pending CLI pairing for the currently signed-in user. Called from the app Authorize action. Requires owner privilege. The identity is taken from the session, not the request body. Mints a CLI token bound to this user and attaches it to the pairing.

PropertyValue
ScopeHub (requires hub context)
PermissionOwner (32)

Endpoint:

https://hostname/-/svc/authn.approve

Parameters

ParameterTypeRequiredDefaultDescription
user_codestringYes-The user_code shown by the CLI
labelstringNo-Human label for the device/session
ttl_daysintegerNo-Token lifetime in days; 0 means no expiry; defaults to 90

Returns

FieldTypeDescription
failedinteger0 on success, 1 on failure
reasonstringFailure reason when failed is 1

authn.create_pat

Mint a Personal Access Token for headless or CI use, bound to the currently signed-in user. Called from account settings. Requires owner privilege. Returns the token once.

PropertyValue
ScopeHub (requires hub context)
PermissionOwner (32)

Endpoint:

https://hostname/-/svc/authn.create_pat

Parameters

ParameterTypeRequiredDefaultDescription
labelstringNo-Human label for the token
ttl_daysintegerNo-Token lifetime in days; 0 means no expiry; defaults to 0

Returns

FieldTypeDescription
tokenstringThe Personal Access Token, shown once
expintegerUnix expiry timestamp, 0 when no expiry
labelstringThe token label