Authentication

The Jeriko daemon uses Bearer token authentication. The token is the value of the NODE_AUTH_SECRET environment variable set when the daemon starts.

Getting Your Token

When you run jeriko init, a cryptographically random token is generated and stored in your config. You can retrieve it with:

# Print your auth token
jeriko config get NODE_AUTH_SECRET

# Or read it from the environment
echo $NODE_AUTH_SECRET

Using the Token

Include the token in the Authorization header with the Bearer prefix:

curl http://127.0.0.1:7741/agent/chat \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"message": "hello"}'

Unauthenticated Endpoints

The following endpoints do not require authentication:

• GET /health — health check
• POST /hooks/:triggerId — inbound webhooks (verified by signature)
• GET /oauth/:provider/* — OAuth flow
• GET /callback — legacy OAuth callback
• GET /s/:id — public shared sessions
• POST /billing/webhook — Stripe webhooks (verified by signature)

Error Responses

Authentication failures return standard JSON errors:

{
  "ok": false,
  "error": "Missing Authorization header"
}

Security Notes

• Tokens are compared using timing-safe comparison to prevent enumeration attacks.
• WebSocket connections also require auth via the first message (see WebSocket).
• The daemon binds to 127.0.0.1 by default — not accessible from the network.