Authentication
KV Cache Store supports two authentication paths: OIDC for the dashboard and API keys for automation.OIDC sign-in
The dashboard uses session cookies. When you click Sign in, the portal redirects you to the configured OIDC provider (Pocket-ID). After successful authentication, the provider redirects back to/auth/callback, and the portal creates:
- a customer record if you are new,
- a default organization and project,
- a storage namespace tied to the organization.
customer_id, project_id, and organization_id. Most dashboard API calls require all three values. If you have only a project_id in an old session, the request is rejected with 401 Unauthorized; sign in again to refresh the session.
The kvcdn CLI has a login command that opens the dashboard in your browser. After signing in, create an API key at Settings > API Keys and set it with kvcdn api-key set.
API keys
API keys are scoped to a project. They are intended for automation, CI pipelines, and thekvcdn CLI.
Creating an API key
- Sign in to the dashboard.
- Navigate to Settings > API Keys.
- Click Create key and copy the key. The secret is shown only once.
Using an API key with the CLI
Set the key withkvcdn api-key set or in the KVCDN_API_KEY environment variable:
kvcdn upload, kvcdn verify, and other API commands.
Verifying an API key
You can verify a key withcurl:
Revoking an API key
In the dashboard, click Revoke next to the key. Revoked keys return401 Unauthorized immediately.
Permissions
API keys currently grantwrite permission, which allows artifact uploads and metadata changes. Read-only keys are on the roadmap.
Using an API key in curl
Suspended customers
If an administrator suspends a customer, all sessions and API keys for that customer are rejected.Security recommendations
- Store API keys in a secret manager, not in source control.
- Rotate keys every 90 days.
- Use separate keys for CI upload and production download workflows.