Authentication
Three token types
Section titled “Three token types”| Type | Who | Lifetime | Where used |
|---|---|---|---|
| Session cookie | Users (dashboard) | 14 days (sliding) | Browser |
| Personal access token (PAT) | Users (CLI, scripts) | 90 days | API clients |
| Agent token | Agents | No expiry, revocable | WebSocket handshake |
Login (session)
Section titled “Login (session)”POST /api/v1/auth/loginContent-Type: application/json
{ "email": "...", "password": "..." }Response: Set-Cookie: z4j_session=...; HttpOnly; Secure; SameSite=Lax.
Subsequent requests: browser sends cookie automatically.
Logout
Section titled “Logout”POST /api/v1/auth/logoutInvalidates the session server-side.
Personal access tokens
Section titled “Personal access tokens”Create from Dashboard → Settings → Tokens → Create. Shown once.
Use in scripts:
curl -H "Authorization: Bearer pat_..." \ https://z4j.example.com/api/v1/tasksRevoke from the same page.
Agent tokens
Section titled “Agent tokens”Minted from Dashboard → Agents → Mint token. See agents API for the mint endpoint.
Rate limits on auth
Section titled “Rate limits on auth”POST /auth/login- 5/minute per IP, 10/minute per email.POST /auth/password-reset-request- 3/hour per email.POST /auth/password-reset-complete- 10/hour per IP.
Exceeding any limit returns 429 Too Many Requests.
Not in v1.0. Planned post-v1.1.
SSO / OAuth2
Section titled “SSO / OAuth2”Not in v1.0. Tracked on the roadmap.