Skip to content

Authentication

This section covers how principals (users, services) prove their identity to HiveCast and to local Hosts. It does NOT cover authorization (who is allowed to do what); that's the Authorization section.

Pages in this section

  • HiveCast account loginHostSessionService
    • Google OIDC + the principal session JWT.
  • OAuth providers — Google, GitHub, Anthropic, Codex, Ollama. Where each redirect lands, who stores the token, why.
  • Device flow — the device-code flow used by Hosts to authenticate themselves to HiveCast.
  • Staging OAuth — staging vs production OAuth client configuration; how to set up a staging tenant for testing.
  • Local testing — running auth against a sibling Host playing the platform role; bypass shortcuts and what they trade away.

The two OAuth families (preview)

FamilyWhere the redirect landsWhere the token storesWhy
HiveCast account loginhttps://hivecast.ai/api/auth/callback/<provider>HiveCast system.auth cloud-sidePre-registered redirect; cloud is the OIDC RP
Per-provider inferencehttp://localhost:<port>/callbackDevice's <matrix-home>/credentials.json (Factotum)Loopback redirect; token must stay local

This is non-negotiable. See Why hosts do not receive raw OAuth tokens for the architectural rule.