> ## Documentation Index
> Fetch the complete documentation index at: https://docs.openbunny.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Web sessions and API token authentication for the cloud.

The cloud supports two authentication methods: web sessions for human users and API tokens for service-to-cloud communication.

## Web sessions

Web users authenticate using Supabase Auth with magic link OTP:

1. User enters their email on the login page
2. Supabase sends a magic link to their email
3. Clicking the link creates a session
4. The session is managed via Supabase cookies

The middleware at `middleware.ts` guards all authenticated routes and redirects unauthenticated users to `/login`.

## API tokens (PAK)

The service authenticates with the cloud using Personal API Keys (PAK). These are long-lived tokens created through the settings UI.

### Token format

```
obk_<64 hex characters>
```

### How they work

* Tokens are hashed with SHA-256 before storage — the raw token is shown only once at creation
* Each request includes the token in the `Authorization` header and the team ID in `X-Team-Id`
* The cloud verifies the hash, resolves the team, and updates `last_used_at`

### Using tokens

```bash theme={null}
curl https://your-cloud.vercel.app/api/tasks \
  -H "Authorization: Bearer obk_your-token" \
  -H "X-Team-Id: your-team-uuid"
```

### Managing tokens

Go to **Settings** in the cloud web UI to:

* Create new tokens with descriptive names
* View last-used timestamps
* Revoke tokens
