Authentication
Runsite Platform uses JWT (JSON Web Tokens) for authentication. Multiple authentication methods are supported.
Token Types
Section titled “Token Types”| Token | Lifetime | Purpose |
|---|---|---|
| Access token | 30 minutes | Authorize API requests |
| Refresh token | 7 days | Obtain new access tokens |
Auth Flow
Section titled “Auth Flow”- Register —
POST /api/auth/registerwith email, password, and name - Login —
POST /api/auth/loginreturns access + refresh tokens - Use API — include
Authorization: Bearer <access_token>header - Refresh —
POST /api/auth/refreshwith refresh token when access token expires - Logout —
POST /api/auth/logoutto invalidate the session
Google OAuth
Section titled “Google OAuth”Runsite supports Google OAuth for one-click sign-in.
- Get OAuth URL —
GET /api/auth/google/urlreturns the Google consent page URL - Callback —
GET /api/auth/google/callbackhandles the redirect from Google and creates the session
The frontend redirects the user to the Google URL, and the callback automatically sets authentication cookies.
Frontend Token Handling
Section titled “Frontend Token Handling”The frontend stores tokens in localStorage and uses Axios interceptors to:
- Automatically attach the access token to every request
- Queue requests on 401 and refresh the token transparently
- Redirect to login if refresh fails
API Key Authentication
Section titled “API Key Authentication”For programmatic access (CI/CD, CLI tools, integrations), you can use API keys instead of JWT tokens.
API keys use the Authorization: Bearer ak_live_... header — the same header as JWT, so switching between them is seamless.
See API Keys for details on creating and managing keys.
User Profile
Section titled “User Profile”Get current user
Section titled “Get current user”GET /api/users/meUpload avatar
Section titled “Upload avatar”POST /api/users/me/avatarContent-Type: multipart/form-data
file: <avatar.png>Remove avatar
Section titled “Remove avatar”DELETE /api/users/me/avatar