Authentication

Auth JWT-based

Token types

The Edge Connector uses JWTs issued by the nara platform that carry:

• the organization the connector belongs to
• the user or service identity
• an admin role for the organization (required for most operations)

Tokens are stored locally in auth-token.json (or a custom path) and reused by both the CLI and the runtime.

Authenticating the CLI (server mode)

1. Obtain an admin token for your organization from the nara webapp (API token, service principal, or similar).

2. On the target machine, run:

   edge-connector auth --token "<ADMIN_JWT>"

3. The CLI validates the token (organization, role, expiry) and writes auth-token.json next to your config (or to the path from AUTH_TOKEN_PATH).

Where the token is stored

By default the CLI writes auth-token.json in the current working directory. Use AUTH_TOKEN_PATH to move it into a dedicated secrets folder.

Desktop authentication flow

Desktop connectors automate authentication:

1. The runtime starts without a token and calls a desktop auth endpoint on the platform.
2. The user is redirected to a browser flow for sign‑in and org selection.
3. Once approved, the platform issues a token tied to the user and org.
4. The runtime stores the token via auth-token.json and reuses it until it expires.

If the token expires the runtime automatically refreshes it using the same flow (or a test-mode provisioning mechanism in automated environments).

Rotating and revoking tokens

• To rotate, generate a new admin token in the webapp and re-run:

  edge-connector auth --token "<NEW_ADMIN_JWT>"

• To revoke a token:

  • disable or delete it from the webapp’s admin surface, and
  • clear the local token file (for example by deleting auth-token.json on the connector host).

Do not share tokens between organizations

Tokens are organization-scoped. Reusing the same token across multiple tenants breaks isolation and may be rejected by the platform.