Skip to main content
NekoHub supports two authentication methods:
  • JWT login for the browser admin console and user-backed API calls
  • API key for scripts, automation, CI/CD, and MCP

JWT login

The browser admin console signs in with a username and password. The API returns an access token plus a refresh token.

Log in

curl -X POST http://localhost:5121/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": "your-password"}'
Real responses are wrapped in data: 
{
  "data": {
    "accessToken": "eyJhbGciOiJIUzI1NiIs...",
    "refreshToken": "refresh-token-value",
    "accessTokenExpiresAtUtc": "2026-04-08T12:15:00Z",
    "refreshTokenExpiresAtUtc": "2026-05-08T12:00:00Z",
    "user": {
      "id": "01956f8d-0000-0000-0000-000000000001",
      "username": "admin",
      "role": "superAdmin",
      "isActive": true,
      "permissions": []
    }
  }
}

Use the access token

curl http://localhost:5121/api/v1/assets \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."

Refresh the access token

curl -X POST http://localhost:5121/api/v1/auth/refresh \
  -H "Content-Type: application/json" \
  -d '{"refreshToken": "refresh-token-value"}'

Token lifetime

TokenDefault lifetimeControlled by
Access token15 minutesAuth__Jwt__AccessTokenMinutes
Refresh token30 daysAuth__Jwt__RefreshTokenDays
The backend signs and validates these tokens. The frontend only stores them and refreshes them when needed.

API key

API keys are for non-interactive clients. They are configured through environment variables and sent as Bearer credentials: 
curl http://localhost:5121/api/v1/assets \
  -H "Authorization: Bearer your-strong-random-api-key"
For MCP: 
curl http://localhost:5121/mcp \
  -H "Authorization: Bearer your-strong-random-api-key"

Which method should you use?

Use caseRecommended method
Admin console (browser)JWT login
User-backed API callsJWT login
Scripts and automationAPI key
MCP integrationsAPI key
CI/CD pipelinesAPI key