Authentication¶
pokkit uses per-client bearer tokens for authentication.
How it works¶
Every request must include an Authorization header with a bearer token:
1 | |
Tokens are tied to a named client identity. The orchestrator validates the token on every request and logs the client name alongside each call for observability.
Getting a token¶
Tokens are issued manually for now. Contact Jim with your use case and you'll receive a token string.
Keep your token secret
Treat your API key like a password. Do not commit it to source control or expose it in client-side code.
401 response¶
If the token is missing, malformed, or unrecognized, the API returns:
1 2 3 4 5 6 | |
Common causes:
- Missing
Authorizationheader - Token not prefixed with
Bearer(note the space) - Token has been revoked or was never issued