Authentication
The OSS edition has no API authentication — bind to 127.0.0.1 or firewall the API port. Super Premium adds token-based auth for shared or public-facing deployments.
By default, an unauthenticated Premium server also allows open access on the bind port. In a trusted private network, that may be acceptable; for production, enable authentication.
Enabling Authentication (Premium)
To enable authentication, you must provide a root auth_secret in your configuration.
# super.toml (Premium only)
auth_secret = "my-super-secure-root-password"Once enabled:
- All API requests require an
Authorization: Bearer <token>header. - The CLI supports
super loginto save credentials locally, or--token/SUPER_TOKENfor one-off use. - The Web UI will prompt for authentication.
CLI Bootstrap
First-time setup on Premium:
# 1. Log in with the root secret from super.toml
super login <auth_secret> --url http://your-server:9002
# 2. Create scoped tokens for users or CI
super token create ci-bot --role operator
# 3. Optionally log in again with the new sk- token
super login sk-a1b2c3d4...OSS users:
super loginagainst an OSS server will fail with a clear message — OSS has no authentication and does not need login.
Managing Tokens
Instead of sharing the root password, you should issue individual tokens for users or CI/CD bots.
Creating a Token
# Generate a token for a CI pipeline with Operator privileges
$ super token create ci-bot --role operator
Token Created: ci-bot (Operator)
Token: sk-a1b2c3d4... (Save this now!)Listing Tokens
View all active tokens and their creation dates.
$ super token list
ID Name Prefix Role Created
------ ------- ------- ------- -------------------
uuid-1 ci-bot sk-a1b2 Operator 2023-10-01 12:00:00
uuid-2 alice sk-x9y8 Admin 2023-10-02 09:30:00Revoking a Token
If a token is leaked, you can revoke it instantly without rotating the root password.
$ super token revoke uuid-1