Authentication

Polysystems supports two authentication methods: JWT session tokens for browser-based access and API tokens for programmatic access. Both use the Authorization: Bearer header.

JWT Session Tokens

When you sign in through the web interface, the server issues a JWT stored in localStorage. Tokens expire after 7 days.

Field	Value
Algorithm	HS256
Expiry	7 days
Claims	sub (user UUID), email, iat, exp
Storage	localStorage (access_token)

Token Structure

JWT payload

json

{
  "sub": "550e8400-e29b-41d4-a716-446655440000",
  "email": "user@example.com",
  "iat": 1709251200,
  "exp": 1709856000
}

API Tokens

API tokens provide programmatic access without a browser session. Ideal for CI/CD pipelines, MCP servers, and CLI tools.

Using an API token

bash

export POLY_API_TOKEN="sk-poly-abc123..."

curl https://dev.poly.inc/api/secrets/vaults \
  -H "Authorization: Bearer $POLY_API_TOKEN"

Token Scopes

Scope	Access
secrets:read	Read vault contents and list secrets
secrets:write	Create, update, and delete secrets
mcp:access	Access secrets via MCP protocol
admin	Full account access including token management

OAuth Providers

GitHub and Google are supported. On first login, a user record is created automatically.

User clicks "Sign in with GitHub" or "Sign in with Google"

Redirect to provider authorization page

Provider redirects back with authorization code

Server exchanges code, creates/finds user, issues JWT

#Authentication

#JWT Session Tokens

#Token Structure

#API Tokens