Skip to main content

What It Does

The daemon serves a local HTTP API on 127.0.0.1:8765. Every request except /v1/health must present a bearer token. Which token is accepted is decided by MIRAGE_AUTH_MODE: /v1/health is always reachable without a token so load balancers and process supervisors can probe it.

Local Mode (Default)

You usually do nothing. The first time the CLI spawns the daemon it writes a random 32-byte token to ~/.mirage/auth_token at mode 0o600 and uses it on every subsequent request.
Probe it directly:

Token Mode (Operator PAT)

For a daemon you run yourself (Docker, systemd, a shared dev box), pin one token across all clients.
Clients pass the same value:
Both server and CLI use a constant-time compare, so timing leakage is not a concern.

JWT Mode (External Issuer)

Hand the daemon a public key and it will accept any non-expired JWT signed by the matching private key. Verification is networkless: no JWKS fetch, no callback to the issuer.
Hard rules the daemon enforces:
  • alg is pinned to MIRAGE_JWT_ALG. A token signed with a different algorithm is rejected, which defeats alg-confusion attacks.
  • alg=none is always rejected.
  • exp is mandatory.
  • typ, if present, must be JWT.
  • Opaque (non-three-segment) values in Authorization: Bearer are rejected before key work, so probing is cheap.

Environment Reference

Where to Go Next

  • CLI walks the daily Workspace flow that uses local-mode automatically.
  • Architecture shows where the auth middleware sits in the request path.