Skip to content
Super v1.1.9 is here! 🎉 See the changelog

Authentication

The OSS edition has no API authentication — bind to 127.0.0.1 or firewall the API port. Super Premium adds token-based auth for shared or public-facing deployments.

By default, an unauthenticated Premium server also allows open access on the bind port. In a trusted private network, that may be acceptable; for production, enable authentication.

Enabling Authentication (Premium)

To enable authentication, you must provide a root auth_secret in your configuration.

# super.toml (Premium only)
auth_secret = "my-super-secure-root-password"

Once enabled:

  1. All API requests require an Authorization: Bearer <token> header.
  2. The CLI supports super login to save credentials locally, or --token / SUPER_TOKEN for one-off use.
  3. The Web UI will prompt for authentication.

CLI Bootstrap

First-time setup on Premium:

# 1. Log in with the root secret from super.toml
super login <auth_secret> --url http://your-server:9002

# 2. Create scoped tokens for users or CI
super token create ci-bot --role operator

# 3. Optionally log in again with the new sk- token
super login sk-a1b2c3d4...

OSS users: super login against an OSS server will fail with a clear message — OSS has no authentication and does not need login.

Managing Tokens

Instead of sharing the root password, you should issue individual tokens for users or CI/CD bots.

Creating a Token

# Generate a token for a CI pipeline with Operator privileges
$ super token create ci-bot --role operator

Token Created: ci-bot (Operator)
Token: sk-a1b2c3d4... (Save this now!)

Listing Tokens

View all active tokens and their creation dates.

$ super token list

ID       Name      Prefix    Role      Created
------   -------   -------   -------   -------------------
uuid-1   ci-bot    sk-a1b2   Operator  2023-10-01 12:00:00
uuid-2   alice     sk-x9y8   Admin     2023-10-02 09:30:00

Revoking a Token

If a token is leaked, you can revoke it instantly without rotating the root password.

$ super token revoke uuid-1