Skip to main content
NekoHub supports two authentication methods for management APIs.

JWT Bearer

Use JWT when the request acts on behalf of a logged-in user. First call POST /api/v1/auth/login, then send: 
Authorization: Bearer <access_token>
Example: 
curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..." \
  http://localhost:5121/api/v1/assets
JWT is the only accepted method for:
  • POST /api/v1/auth/logout
  • GET /api/v1/auth/me

API key

Use API keys for scripts, automation, CI/CD, and MCP. API keys also use the Authorization header. Do not use the legacy custom header form: 
Authorization: Bearer <api_key>
Example: 
curl -H "Authorization: Bearer your-api-key" \
  http://localhost:5121/api/v1/assets
Enable it with: 
Auth__ApiKey__Enabled=true
Auth__ApiKey__Keys__0=your-strong-random-key
/mcp only accepts API keys.

Endpoint support matrix

Endpoint groupJWTAPI key
Public assetsNot requiredNot required
/content/{storageKey}Not requiredNot required
GET /api/v1/system/pingNot requiredNot required
GET /api/v1/system/bootstrapNot requiredNot required
POST /api/v1/auth/loginNot requiredNot required
POST /api/v1/auth/refreshNot requiredNot required
POST /api/v1/auth/logoutRequiredNot accepted
GET /api/v1/auth/meRequiredNot accepted
/api/v1/assetsAcceptedAccepted
/api/v1/usersAcceptedAccepted
/api/v1/system/storageAcceptedAccepted
/api/v1/system/ai/providersAcceptedAccepted
/mcpNot acceptedRequired

Common errors

HTTP statusError codeMeaning
401 Unauthorizedauth_unauthorizedMissing or invalid JWT
401 Unauthorizedapi_key_missingAPI key was not provided
401 Unauthorizedapi_key_invalidAPI key is invalid or the header format is wrong
401 Unauthorizedauth_token_expiredJWT expired
403 Forbiddenauth_forbiddenAuthenticated but not authorized