Skip to main content
POST
http://localhost:3000
/
auth
/
login
curl -X POST http://localhost:3000/auth/login \
  -H "Authorization: Bearer $ISOL8_MASTER_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "name": "ci-job-42", "ttlMs": 600000 }'

{
  "token": "isol8_9f2e8d7c...",
  "expiresAt": "2026-03-01T12:10:00.000Z",
  "keyId": "b2c3d4e5-f6a7-8901-bcde-f12345678901"
}
Creates a short-lived API token by exchanging the master key. Useful for granting temporary access without sharing the master key itself. The returned token works with all authenticated endpoints (execution, file I/O, sessions) but not with admin endpoints that require the master key (key management). Requires the master key. DB-backed auth must be enabled.
name
string
Label for the token. Defaults to login-<ISO timestamp>.
tenantId
string
Tenant to associate with the token. Defaults to "default".
ttlMs
number
Token lifetime in milliseconds. Defaults to auth.defaultTtlMs from server config.
token
string
Short-lived API token prefixed with isol8_.
expiresAt
string
ISO 8601 expiration timestamp.
keyId
string
UUID of the underlying key record. Can be used with DELETE /auth/keys/:id to revoke early.
curl -X POST http://localhost:3000/auth/login \
  -H "Authorization: Bearer $ISOL8_MASTER_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "name": "ci-job-42", "ttlMs": 600000 }'

{
  "token": "isol8_9f2e8d7c...",
  "expiresAt": "2026-03-01T12:10:00.000Z",
  "keyId": "b2c3d4e5-f6a7-8901-bcde-f12345678901"
}
Tokens created via login are regular DB-backed keys internally. They appear in GET /auth/keys and can be revoked with DELETE /auth/keys/:id.