Authentication
On first startup, an admin user is created with a randomly generated password shown in the server logs. Save this password!
/auth/login
Authenticate and receive a JWT token.
Request Body Options
| Field | Type | Description | Required |
|---|---|---|---|
| username | string | Username (e.g., "admin"). | Yes |
| password | string | User's password. | Yes |
Response
/_api/auth/password
Change current user's password.
Request Body Options
| Field | Type | Description | Required |
|---|---|---|---|
| current_password | string | Current password. | Yes |
| new_password | string | New password. | Yes |
Response
/_api/auth/api-keys
Create a new API key.
Request Body Options
| Field | Type | Description | Required |
|---|---|---|---|
| name | string | Name/Description for the API key. | Yes |
| roles | array | List of role names to assign to this key (e.g. ["editor", "viewer"]). Defaults to empty. | No |
| scoped_databases | array | Restrict key access to specific databases (e.g. ["mydb", "analytics"]). Omit for unrestricted access. | No |
Response
/_api/auth/api-keys
List active API keys.
Response
/_api/auth/api-keys/:key_id
Revoke an API key.
Response
/_api/livequery/token
Generate a short-lived JWT token for WebSocket live query connections. This token expires in 30 seconds. Useful for connecting to real-time changefeeds without exposing long-lived admin tokens.
Response
Usage: Call this endpoint, then connect to ws://host:6745/_api/ws/changefeed?token=TOKEN
/_api/auth/me
Get current authenticated user info and roles.
Response
/_api/auth/me/permissions
Get effective permissions for the current user.
Response
Roles (RBAC)
Role-Based Access Control. Builtin roles: admin, editor, viewer.
/_api/auth/roles
List all roles. Requires admin permission.
Response
/_api/auth/roles
Create a custom role. Requires admin permission. Role names cannot start with reserved prefixes (admin, editor, viewer).
Request Body Options
| Field | Type | Description | Required |
|---|---|---|---|
| name | string | Name of the custom role. | Yes |
| description | string | Human-readable description. | No |
| permissions | array | List of permission objects. Each has: action (admin|write|read), scope (global|database), database (required if scope is database). |
Yes |
Example
/_api/auth/roles/:name
Get a specific role by name.
/_api/auth/roles/:name
Update a custom role. Cannot modify builtin roles.
Request Body Options
| Field | Type | Description | Required |
|---|---|---|---|
| description | string | Updated description for the role. | No |
| permissions | array | Updated list of permission objects. Each has: action (admin|write|read), scope (global|database), database (required if scope is database). |
No |
/_api/auth/roles/:name
Delete a custom role. Cannot delete builtin roles.
Users
User management endpoints. All require admin permission.
/_api/auth/users
List all users with their roles.
Response
/_api/auth/users
Create a new user.
Request Body Options
| Field | Type | Description | Required |
|---|---|---|---|
| username | string | Username (1-64 characters). | Yes |
| password | string | Password (minimum 6 characters). | Yes |
| initial_role | string | Role to assign immediately. Must reference an existing role. | No |
/_api/auth/users/:username
Delete a user.
/_api/auth/users/:username/roles
Get roles assigned to a user.
Response
/_api/auth/users/:username/roles
Assign a role to a user.
Request Body Options
| Field | Type | Description | Required |
|---|---|---|---|
| role | string | Name of an existing role to assign. | Yes |
| database | string | Limit role to a specific database. Omit or set to null for global assignment. | No |
/_api/auth/users/:username/roles/:role
Revoke a role from a user.
Query Parameters
| Parameter | Type | Description | Required |
|---|---|---|---|
| database | string | Revoke role for a specific database scope. Omit to revoke global assignment. | No |