Skip to content

Authentication and tokens

Every API call needs a bearer token. There are two kinds. You get a session token by logging in, and you create an API token for scripts and automation. For anything unattended, use an API token and give it only the permissions it needs.

Session tokens compared to API tokens

A session token comes from POST /v1/login (the same call the panel makes when you sign in). It is short-lived and carries your full user permissions, which makes it right for interactive use.

An API token comes from POST /v1/tokens. You choose its expiry and the exact permissions it holds, which makes it right for scripts, automation, and CI. When in doubt, reach for an API token.

Get a session token by logging in

bash
curl -X POST "https://api.galaxygate.net/v1/login" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "your-password"
  }'

The response contains a token. Save the plaintext value now, because it is returned only once. If the account has multi-factor authentication enrolled, the login flow also expects your second factor.

Save the plaintext now

GalaxyGate stores only a hash of every token. The plaintext is shown exactly once, at creation. If you lose it you cannot retrieve it. You create a new token and delete the old one.

Create an API token

Use POST /v1/tokens to mint a token bound to your user. Supply a name, an expires timestamp, and a grants map:

bash
curl -X POST "https://api.galaxygate.net/v1/tokens" \
  -H "Authorization: Bearer $SESSION_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "deploy-bot",
    "expires": "2027-01-01T00:00:00Z",
    "grants": {
      "INSTANCE": "WRITE",
      "IMAGE": "READ"
    }
  }'

The grants map

grants maps a resource kind to a permission level. There are three levels:

  • NONE: no access.
  • READ: read only.
  • WRITE: read and write.

Grant the least a token needs. A token that only powers instances on and off needs INSTANCE set to WRITE and nothing else. Anything you leave out defaults to no access, so a short grants map is a safe grants map.

Use the token

Put the token in the Authorization header on every request:

bash
curl "https://api.galaxygate.net/v1/instances/$INSTANCE_ID" \
  -H "Authorization: Bearer $GALAXYGATE_TOKEN"

Manage and revoke tokens

  • List your tokens: GET /v1/users/{uid}/tokens.
  • Fetch one token's metadata: GET /v1/tokens/{id}.
  • Delete (revoke) a token: DELETE /v1/tokens/{id}.
  • Refresh a session token to extend it: POST /v1/tokens/refresh.

Rotate a token by creating a new one, updating your scripts to use it, then deleting the old one. Because the plaintext cannot be recovered, treat a leaked token as compromised and delete it immediately.

Next step

You have a token. Use it to create your first server.

Create a server