Skip to content
English
Sign in
Contact us
  • There are no suggestions because the search field is empty.

PumaMesh API and CLI Reference: Authentication Overview

Authenticate to PumaMesh programmatically and understand how API and CLI access is secured and governed.

Anything you can do in the PumaMesh console you can also do through its API and CLI. Before you can call an endpoint or run a command, you have to authenticate, and your identity then determines exactly which data you can see. This article explains the supported authentication methods and how access is enforced.

Supported authentication methods

PumaMesh supports secure authentication with LDAP, OIDC, and 2FA. Interactive users typically sign in with their LDAP or OIDC identity and a second factor. For automated and programmatic access, use API tokens so scripts and services authenticate without a human in the loop. Use the same node URL you use for the console as the base for API calls.

API tokens

Create an API token from your account area, then send it as a bearer token in the Authorization header of each request (Authorization: Bearer <token>). Treat tokens like passwords: store them in a secret manager, never commit them to source control, and rotate them on a regular schedule. Revoke any token immediately if it may have been exposed. A token always inherits the tags and permissions of the identity that created it.

How access is enforced

API and CLI access is governed by the same ABAC keyword policies as the console. After you authenticate, your effective tags (resolved from LDAP attributes plus any local assignments) are evaluated against each file's required tags. A request can only return a file when the file's tags are a subset of your tags. This means an API token can never see more than the user behind it, so the same access rules apply everywhere.

CLI access

The PumaMesh CLI wraps the same API, so it authenticates with the same credentials and respects the same ABAC policies. Point the CLI at your node URL and provide an API token (typically via an environment variable so it is never echoed on the command line). Because the CLI honors your tags, it is a convenient way to script transfers, labeling, and discovery while staying inside your authorized data set.