copepod

Documentation

copepod

Dashboard
OverviewAPI indexMemory APIKnowledge APIAuth servicePortal facade
API index/auth, /api-keys, /roles

Auth service

Authentication, session lifecycle, API key management, roles, step-up, and break-glass controls.

Use this when you need sign-in, token lifecycle, privileged operations, or scoped API key management.

Endpoints

Service surface

POST

/auth/login

Starts the login flow.

Public

Login

Initiate sign-in through the provider redirect.

curl -X POST "$API_BASE/auth/login"
GET

/auth/callback

Completes the OAuth or SSO callback.

Public

Callback

The provider redirects back with a code.

curl "$API_BASE/auth/callback?code=<oauth-code>"
POST

/auth/refresh

Exchanges a refresh token for a new access token.

Refresh token

Refresh

Use a refresh token to obtain a new session token.

curl -X POST "$API_BASE/auth/refresh" \
  -H "Authorization: Bearer <refresh-token>"
POST

/auth/revoke

Revokes a session or token.

Bearer token

Revoke session

Explicitly invalidate a session or token.

curl -X POST "$API_BASE/auth/revoke" \
  -H "Authorization: Bearer <token>"
POST

/auth/step-up

Requests elevated authentication for sensitive operations.

Bearer token

Step-up

Request step-up before privileged actions.

curl -X POST "$API_BASE/auth/step-up" \
  -H "Authorization: Bearer <token>"
POST

/auth/break-glass/request

Starts a break-glass access request.

Bearer token

Break glass

Request emergency access.

curl -X POST "$API_BASE/auth/break-glass/request" \
  -H "Authorization: Bearer <token>"
GET

/api-keys

Lists API keys for the current tenant.

Bearer token

List API keys

List scoped keys for the tenant.

curl -H "Authorization: Bearer <jwt>" "$API_BASE/api-keys"
POST

/api-keys

Creates a new API key with scopes, namespaces, and IP restrictions.

Bearer token

Create API key

Create a scoped key for automation.

curl -X POST "$API_BASE/api-keys" \
  -H "Authorization: Bearer <jwt>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "My integration",
    "scopes": ["memories:read", "memories:write"],
    "namespaces": ["default"],
    "ips": ["203.0.113.10"]
  }'
POST

/api-keys/{id}/rotate

Rotates an API key and returns the new secret once.

Bearer token

Rotate API key

Rotation returns a new one-time secret.

curl -X POST "$API_BASE/api-keys/<key-id>/rotate" \
  -H "Authorization: Bearer <jwt>"
DELETE

/api-keys/{id}

Revokes an API key.

Bearer token

Revoke API key

Delete access for a compromised key.

curl -X DELETE "$API_BASE/api-keys/<key-id>" \
  -H "Authorization: Bearer <jwt>"
GET

/roles

Lists roles visible to the authenticated principal.

Bearer token + RBAC

List roles

Read the caller's visible roles.

curl -H "Authorization: Bearer <jwt>" "$API_BASE/roles"
GET

/roles/{name}

Returns a role by name.

Bearer token + RBAC

Get role

Fetch a specific role by name.

curl -H "Authorization: Bearer <jwt>" "$API_BASE/roles/admin"

Request example

Create an API key

Scoped key creation is the most common developer-facing auth operation.

curl -X POST "$API_BASE/api-keys" \
  -H "Authorization: Bearer <jwt>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "My integration",
    "scopes": ["memories:read", "memories:write"]
  }'

Base path

/auth, /api-keys, /roles

Schemas

OpenAPI-style field tables

API key create request

Payload used by POST /api-keys.

FieldTypeRequiredDescription
namestringrequiredHuman-readable key label.
scopesstring[]requiredAllowed capabilities.
namespacesstring[]optionalOptional namespace restrictions.
ipsstring[]optionalOptional IP allowlist.

API key response

Returned from list, create, rotate, and revoke flows.

FieldTypeRequiredDescription
key_iduuidrequiredKey identifier.
secretstringcreate/rotate onlyOne-time secret value.
status"active" | "revoked"list onlyCurrent key state.

Response examples

What the API returns

List API keys

The list endpoint wraps keys in a top-level keys array.

{
  "keys": [
    {
      "key_id": "2b7e1b83-2f86-4cd1-9a8f-d7cb5efb2fe0",
      "name": "My integration",
      "scopes": ["memories:read", "memories:write"],
      "created_at": "2026-04-10T12:00:00Z",
      "last_used_at": null,
      "status": "active"
    }
  ]
}

Create API key

The create and rotate endpoints return the secret exactly once.

{
  "key_id": "2b7e1b83-2f86-4cd1-9a8f-d7cb5efb2fe0",
  "secret": "cme_live_...",
  "tenant_id": "2f2f0ce7-8f35-4d1c-9c1e-1f7f7fd00a48",
  "name": "My integration",
  "scopes": ["memories:read", "memories:write"]
}

Rotate / revoke behavior

Rotate returns the new secret; revoke returns a simple status payload.

rotate: { "key_id": "2b7e1b83-2f86-4cd1-9a8f-d7cb5efb2fe0", "secret": "cme_live_..." }
revoke: { "status": "revoked" }

Notes

Implementation notes

  • Create, rotate, and revoke operations are guarded by bearer auth and tenant context.
  • Step-up authentication is required for sensitive lifecycle actions in the portal.
  • The auth service routes are defined in cmd/auth-service/main.go and cmd/auth-service/apikey_handlers.go.