Authentication
The NodeFoundry API uses JWT tokens stored in HTTP-only cookies. After logging in, the browser automatically sends the tokens with every request — no manual Authorization header needed.
How it works
- Call
POST /user/loginwith username and password - The response sets two cookies:
access_token(short-lived) andrefresh_token(long-lived) - All subsequent requests include these cookies automatically
- When the access token expires, call
POST /user/refreshto get a new one - Call
POST /user/logoutto invalidate the session
S3 authentication
S3 endpoints use a separate credential system. Pass your RGW access and secret keys via headers:
| Header | Description |
|---|---|
X-S3-Access-Key | S3 access key from RGW user |
X-S3-Secret-Key | S3 secret key from RGW user |
These can also be passed as query parameters: ?accessKey=...&secretKey=...
Unauthenticated endpoints
The following endpoints do not require authentication:
POST /user/loginPOST /user/refreshGET /boot/config(iPXE boot)GET /boot/default(iPXE default)GET /templates/rendered/{name}(rendered templates)