Skip to main content

Overview

The Agent API uses two authentication mechanisms:
  • HMAC-signed requests for account creation and login.
  • JWT bearer tokens for authenticated requests after login.

HMAC signatures

Use a cryptographically strong, unique nonce for each signed request. The nonce and signature pair must never be reused.

Create account signature

The Account/Create signature is HMAC-SHA256 of the following string, using your API secret as the key: 
userName:host:eMail:password:apiKey:nonce

Login signature

The Account/Login signature is HMAC-SHA256 of the following string, using the account password as the key: 
userName:host:nonce

JavaScript example

import crypto from "crypto";

function hmacBase64(message, key) {
  return crypto.createHmac("sha256", key).update(message, "utf8").digest("base64");
}

const host = "neuron.example.com";
const nonce = "random-unique-string-at-least-32-chars";

// Create
const createMessage = `${userName}:${host}:${eMail}:${password}:${apiKey}:${nonce}`;
const createSignature = hmacBase64(createMessage, apiSecret);

// Login
const loginMessage = `${userName}:${host}:${nonce}`;
const loginSignature = hmacBase64(loginMessage, password);
The host value is the domain only (no scheme). For example, use neuron.example.com, not https://neuron.example.com.

JWT bearer tokens

Most endpoints require a JWT returned by Account/Create or Account/Login. Send it as a bearer token: 
Authorization: Bearer <jwt>
If you need to validate a token, use the AuthenticateJwt endpoint.

Alternative login flows

If you need browser-based login or quick device pairing, review:

Security tips

  • Use nonces with at least 32 characters of entropy.
  • Never reuse nonces or signatures.
  • Store API secrets and passwords in a secure vault.
  • Refresh JWTs before they expire.