Authentication

User authentication

OAuth providers

Users log in via OAuth 2.0:

• Google
• Microsoft (Entra ID)
• GitHub
• Twitter / X
• LinkedIn

Flow:

1. GET /api/v1/auth/{provider} → redirect to provider consent
2. Provider redirects back with code
3. POST /api/v1/auth/{provider}/exchange with {code, state} → tokens
4. Server sets httpOnly cookies (lorika_access, lorika_refresh)

Tokens

• Access token — JWT, 15 min TTL, contains sub (user id) + org (org id)
• Refresh token — JWT, 7 days TTL, with version counter for rotation

Refreshing

POST /api/v1/auth/refresh — uses httpOnly cookie automatically.

Agent authentication

Agents use HMAC-signed requests with device tokens (SHA-256 hashed server-side).

Headers:

• X-Device-Token: <token> — identifies device
• X-Timestamp: <unix> — request timestamp (anti-replay)
• X-Signature: <hmac> — HMAC-SHA256 of {timestamp}\n{body}

The token is issued once during enrollment (POST /api/v1/devices/enroll) and never shown again.

Multi-factor

Not yet enforced in v1. Planned for v2.