Login (exchange for token)

curl -X POST http://localhost:3000/auth/login \
  -H "Authorization: Bearer $ISOL8_MASTER_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "name": "ci-job-42", "ttlMs": 600000 }'

{
  "token": "isol8_9f2e8d7c...",
  "expiresAt": "2026-03-01T12:10:00.000Z",
  "keyId": "b2c3d4e5-f6a7-8901-bcde-f12345678901"
}

POST

auth

curl -X POST http://localhost:3000/auth/login \
  -H "Authorization: Bearer $ISOL8_MASTER_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "name": "ci-job-42", "ttlMs": 600000 }'

{
  "token": "isol8_9f2e8d7c...",
  "expiresAt": "2026-03-01T12:10:00.000Z",
  "keyId": "b2c3d4e5-f6a7-8901-bcde-f12345678901"
}

Creates a short-lived API token by exchanging the master key. Useful for granting temporary access without sharing the master key itself. The returned token works with all authenticated endpoints (execution, file I/O, sessions) but not with admin endpoints that require the master key (key management). Requires the master key. DB-backed auth must be enabled.

name

string

Label for the token. Defaults to login-<ISO timestamp>.

tenantId

string

Tenant to associate with the token. Defaults to "default".

ttlMs

number

Token lifetime in milliseconds. Defaults to auth.defaultTtlMs from server config.

token

string

Short-lived API token prefixed with isol8_.

expiresAt

string

ISO 8601 expiration timestamp.

keyId

string

UUID of the underlying key record. Can be used with DELETE /auth/keys/:id to revoke early.

curl -X POST http://localhost:3000/auth/login \
  -H "Authorization: Bearer $ISOL8_MASTER_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "name": "ci-job-42", "ttlMs": 600000 }'

{
  "token": "isol8_9f2e8d7c...",
  "expiresAt": "2026-03-01T12:10:00.000Z",
  "keyId": "b2c3d4e5-f6a7-8901-bcde-f12345678901"
}

Tokens created via login are regular DB-backed keys internally. They appear in GET /auth/keys and can be revoked with DELETE /auth/keys/:id.

Revoke API key

Documentation Index