Authentication

Console APIs require the HTTP header:

access-token: <JWT>

(Defined as Constants.ACCESS_TOKEN in sp-tr-api.)

Non-interactive login (agents + CI)

Email verification flow

1. Request code (human step or separate automation):

   GET /api/login/getVerificationCode/{userName}

2. Exchange code for token:

   sp auth login --email user@corp.com --code 123456 --json

   REST: POST /api/login/verify with body { "userName", "verifyCode", ... }

3. CLI writes token to the shared config file in ${XDG_CONFIG_HOME:-~/.config}/softprobe/config.jsonc unless --no-save.

CI / agent hosts

Set a long-lived token from your secret store:

export SP_TOKEN="eyJ..."
sp app list --json

Never commit tokens to git. Rotate on leak.

Token refresh

sp auth refresh --user user@corp.com --json

REST: GET /api/login/refresh/{userName}

Add --no-save when an agent or CI job should receive a token without touching local config:

export SP_TOKEN="$(sp auth refresh --user user@corp.com --no-save --json | jq -r .data.token)"

Guest login

If enabled on the server:

sp auth login --guest --json

REST: POST /api/login/loginAsGuest

OAuth

OAuth flows are browser-based. Agents should use pre-provisioned SP_TOKEN rather than driving OAuth interactively.

Document for humans: GET /api/login/oauthInfo/{oauthType}, POST /api/login/oauthLogin.

Who am I

sp auth whoami --json

Decodes JWT userName or calls profile endpoint when implemented.

Errors

Situation	Exit code
Missing token with --json	3 (AUTH_REQUIRED)
Expired or invalid token	1 (API_ERROR)

Related

• config
• auth command