hiveloom auth
Manages bearer tokens for the admin API. Use these tokens with
--token "$TOKEN" (or HIVELOOM_TOKEN env var) on any other CLI command
that hits a remote instance, and as the Authorization: Bearer header
when calling the admin API directly.
Synopsis
hiveloom auth [GLOBAL FLAGS] <COMMAND>Global flags
| Flag | Description |
|---|---|
--endpoint <URL> | API endpoint. |
--token <TOKEN> | Existing bearer token for remote access. (You need a token to create more.) |
--json | JSON output. |
Subcommands
| Subcommand | Purpose |
|---|---|
token-create | Mint a new bearer token. The plaintext is shown once — capture it now. |
token-list | List token IDs and metadata (never the secret). |
token-revoke | Revoke a token by ID. |
Run hiveloom auth <subcommand> --help for arguments.
Examples
Create a token on a fresh local instance (no auth required for the first token):
hiveloom auth token-create --name "ops-laptop"
# Output includes the token plaintext exactly once. Store it in a secret manager.Use the token from another machine:
export HIVELOOM_TOKEN="hlk_..."
hiveloom status --endpoint https://hiveloom.example.com --token "$HIVELOOM_TOKEN"List token IDs so you can revoke a leaked one:
hiveloom auth token-list
hiveloom auth token-revoke tok_abc123Security model
- Tokens are stored hashed; the plaintext only exists in your hands.
- Revocation is immediate — Hiveloom checks the hash on every request.
- A revoked token cannot be re-issued; create a new one.
- A leaked token grants the same admin scope as the issuer; rotate by creating a new token before revoking the old.