> ## Documentation Index
> Fetch the complete documentation index at: https://docs.neuro-tech.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Sign requests and use JWTs securely

## Overview

The Agent API uses two authentication mechanisms:

* **HMAC-signed requests** for account creation and login.
* **JWT bearer tokens** for authenticated requests after login.

## HMAC signatures

Use a cryptographically strong, unique nonce for each signed request. The nonce
and signature pair must never be reused.

### Create account signature

The `Account/Create` signature is HMAC-SHA256 of the following string, using
your API secret as the key:

```
userName:host:eMail:password:apiKey:nonce
```

### Login signature

The `Account/Login` signature is HMAC-SHA256 of the following string, using the
account password as the key:

```
userName:host:nonce
```

### JavaScript example

```js theme={null}
import crypto from "crypto";

function hmacBase64(message, key) {
  return crypto.createHmac("sha256", key).update(message, "utf8").digest("base64");
}

const host = "neuron.example.com";
const nonce = "random-unique-string-at-least-32-chars";

// Create
const createMessage = `${userName}:${host}:${eMail}:${password}:${apiKey}:${nonce}`;
const createSignature = hmacBase64(createMessage, apiSecret);

// Login
const loginMessage = `${userName}:${host}:${nonce}`;
const loginSignature = hmacBase64(loginMessage, password);
```

<Note>
  The host value is the domain only (no scheme). For example, use
  `neuron.example.com`, not `https://neuron.example.com`.
</Note>

## JWT bearer tokens

Most endpoints require a JWT returned by `Account/Create` or `Account/Login`.
Send it as a bearer token:

```http theme={null}
Authorization: Bearer <jwt>
```

If you need to validate a token, use the
[AuthenticateJwt](/manual-api-reference/accounts/authenticate-jwt) endpoint.

## Alternative login flows

If you need browser-based login or quick device pairing, review:

* [Quick login](/manual-api-reference/accounts/quick-login)
* [WWW login](/manual-api-reference/accounts/www-login)

## Security tips

* Use nonces with at least 32 characters of entropy.
* Never reuse nonces or signatures.
* Store API secrets and passwords in a secure vault.
* Refresh JWTs before they expire.
