kisenon

Auth

Sign-in, API keys, and the CLI loopback OAuth flow.

Kisenon has two ways to authenticate:

  • Web sign-in — Google or GitHub OAuth via NextAuth on the console.
  • API key — an nsk_… token that any HTTP client (including keon) can present as a Bearer credential.

The same key can drive the CLI, CI, and one-off curl calls.

Web sign-in

Open kisenon.com and click Sign in. Pick Google or GitHub. NextAuth handles the OAuth dance and exchanges the provider's id token for a control-plane JWT via POST /v1/auth/exchange; that JWT is what every subsequent console request carries.

During alpha, sign-in is gated by an email allowlist. If you have not been onboarded, the sign-in callback returns an access_denied-style error. See Alpha access to apply.

The session expires when the cp-signed JWT does. The console refreshes the JWT in the background while you are active. If you have left the console open for a long time and the refresh window has lapsed, you will be redirected to sign-in on the next request.

API keys

API keys are tenant-scoped credentials. Each key:

  • Carries the format nsk_<random> and is shown once at creation.
  • Is hashed at rest. We cannot recover the plaintext after creation, so save it now or rotate it later.
  • Authorises every action the issuing user can perform on their tenant.
  • Can be revoked at any time without affecting other keys.

Manage keys at Settings → API keys in the console. Each row shows a label, the creation timestamp, and the prefix (the first few characters of the key) for visual identification.

CLI loopback OAuth

keon login does not ask you to paste an API key. Instead it runs a loopback OAuth flow:

  1. The CLI starts a local HTTP listener on a random high port.
  2. It opens your browser to https://kisenon.com/cli/authorize?... with a one-shot state token and the loopback redirect URL.
  3. You sign in (or are already signed in) and click Authorize.
  4. The console redirects to the loopback URL with a short-lived code.
  5. The CLI exchanges the code at POST /v1/auth/cli/exchange for a freshly minted API key.
  6. The key is persisted at ~/.config/keon/credentials.json with mode 0600.

After the flow, keon whoami confirms the key is wired:

keon login
keon whoami

The CLI does not store the OAuth code, the state, or any provider-side token; only the resulting API key. Rotate or revoke that key from the console at any time.

Logout

keon logout revokes the local API key on the server and removes the credentials file. After logout, the same keon login flow mints a new key — old credentials cannot be reactivated.

keon logout

Console sign-out clears the browser session and redirects to the landing page; it does not revoke API keys you minted via the CLI. Use Settings → API keys to revoke those individually.

Bearer auth from arbitrary clients

Any client that speaks HTTP can hit the control plane:

curl -H "Authorization: Bearer $KISENON_API_KEY" \
  https://api.test.kisenon.com/v1/projects

The bearer token is either an API key (nsk_…) or a cp-signed JWT issued via /v1/auth/exchange. Both are equivalent for tenant-scoped endpoints.

  • CLI — install, login, common commands.
  • Security — disclosure policy.
  • FAQ — short answers to the most-asked questions.

Endpoints

Suspend-on-idle Postgres frontends — types, lifecycle, and wake semantics.

Alpha access

How to apply for the Kisenon alpha programme.

On this page

Web sign-inAPI keysCLI loopback OAuthLogoutBearer auth from arbitrary clientsRelated