Authentication

AuroraSOC supports two authentication methods: JWT for interactive users and API keys for programmatic access. Both are enforced on every API endpoint and WebSocket connection.

Authentication flow

JWT authentication

Interactive users authenticate with JWT tokens:

Setting	Default	Description
JWT_SECRET_KEY	Required, 32+ chars	HMAC-SHA256 signing key
JWT_EXPIRY_HOURS	24	Token lifetime

Generate a secret:

openssl rand -hex 32

API key authentication

Service accounts authenticate with API keys. The bootstrap key is set via API_SERVICE_KEY in the environment. Additional keys can be created through the API by operators with admin permissions.

Session management

The JWT is stored in an httpOnly cookie for dashboard users. The token is also returned in the response body for programmatic use. API keys are passed via the X-API-Key header.

Authentication flow​

JWT authentication​

API key authentication​

Session management​

Authentication flow

JWT authentication

API key authentication

Session management