Authentication
QLAM uses OAuth2 for authentication. This section covers the available authentication flows and when to use each.
Authentication Flows
| Flow | Use Case | Interactive |
|---|---|---|
| Authorization Code | Users with browser access | Yes |
| Device Code | Headless environments, CLI | Yes (separate device) |
| Token Refresh | Extending session without re-login | No |
| Machine-to-Machine | Service accounts, automation | No |
Choosing a Flow
For Interactive Users
Authorization Code Flow is the standard choice for users who can access a web browser. This is what QLAM Shell uses by default with qsh auth login.
Device Code Flow is for environments without browser access (e.g., remote servers, containers). The user authenticates on a separate device.
For Automated Systems
Machine-to-Machine (M2M) is for service accounts and automated pipelines that run without user interaction.
For Token Management
Token Refresh explains how to use refresh tokens to obtain new access tokens without re-authenticating.
Token Lifetimes
| Token Type | Default Lifetime |
|---|---|
| Access Token | 1 day (24 hours) |
| Refresh Token | 15 days |
Token Expiration
Access tokens expire after 24 hours. Use token refresh to obtain new tokens, or re-authenticate.
Common Configuration
All OAuth2 flows require these configuration values (provided by your QLAM administrator):
| Parameter | Description | Example |
|---|---|---|
auth_base_url |
Identity provider URL | https://quera-identity.us.auth0.com |
client_id |
OAuth2 client identifier | UWvieOlCODgHRKaU6dCACJwwhHIlWwEp |
audience |
API identifier | https://v2/demo |
scope |
Requested permissions | openid email profile offline_access |
Access Token Usage
All API requests require the access token in the Authorization header:
Authorization: Bearer <access_token>
Example:
curl -X GET "https://api.demo.quera.com/v2/tasks" \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
Credential Storage
QLAM Shell stores credentials in ~/.qsh/credentials/. These files contain sensitive tokens and should be protected:
# Secure credential directory
chmod 700 ~/.qsh
chmod 600 ~/.qsh/credentials/*