Appearance
Authentication
This section covers how principals (users, services) prove their identity to HiveCast and to local Hosts. It does NOT cover authorization (who is allowed to do what); that's the Authorization section.
Pages in this section
- HiveCast account login —
HostSessionService- Google OIDC + the principal session JWT.
- OAuth providers — Google, GitHub, Anthropic, Codex, Ollama. Where each redirect lands, who stores the token, why.
- Device flow — the device-code flow used by Hosts to authenticate themselves to HiveCast.
- Staging OAuth — staging vs production OAuth client configuration; how to set up a staging tenant for testing.
- Local testing — running auth against a sibling Host playing the platform role; bypass shortcuts and what they trade away.
The two OAuth families (preview)
| Family | Where the redirect lands | Where the token stores | Why |
|---|---|---|---|
| HiveCast account login | https://hivecast.ai/api/auth/callback/<provider> | HiveCast system.auth cloud-side | Pre-registered redirect; cloud is the OIDC RP |
| Per-provider inference | http://localhost:<port>/callback | Device's <matrix-home>/credentials.json (Factotum) | Loopback redirect; token must stay local |
This is non-negotiable. See Why hosts do not receive raw OAuth tokens for the architectural rule.