What It Does
The daemon serves a local HTTP API on127.0.0.1:8765. Every request except /v1/health must present a bearer token. Which token is accepted is decided by MIRAGE_AUTH_MODE:
/v1/health is always reachable without a token so load balancers and process supervisors can probe it.
Local Mode (Default)
You usually do nothing. The first time the CLI spawns the daemon it writes a random 32-byte token to~/.mirage/auth_token at mode 0o600 and uses it on every subsequent request.
Token Mode (Operator PAT)
For a daemon you run yourself (Docker, systemd, a shared dev box), pin one token across all clients.JWT Mode (External Issuer)
Hand the daemon a public key and it will accept any non-expired JWT signed by the matching private key. Verification is networkless: no JWKS fetch, no callback to the issuer.algis pinned toMIRAGE_JWT_ALG. A token signed with a different algorithm is rejected, which defeats alg-confusion attacks.alg=noneis always rejected.expis mandatory.typ, if present, must beJWT.- Opaque (non-three-segment) values in
Authorization: Bearerare rejected before key work, so probing is cheap.
Environment Reference
Where to Go Next
- CLI walks the daily Workspace flow that uses local-mode automatically.
- Architecture shows where the auth middleware sits in the request path.