Authentication

Pokai uses two authentication mechanisms for different contexts.

Session Auth (REST API)

Used by the frontend dashboard for developer access.

OAuth Flow

User clicks Login with GitHub
Redirect to GitHub OAuth authorization
GitHub redirects back with authorization code
Server exchanges code for access token
Server fetches user profile from GitHub API
Server creates or updates Developer record
Express session created with developer ID
Session stored in MongoDB via connect-mongo

Endpoints

Endpoint	Method	Description
`/api/auth/github`	GET	Initiate GitHub OAuth flow
`/api/auth/github/callback`	GET	OAuth callback handler
`/api/auth/me`	GET	Get current authenticated user
`/api/auth/logout`	POST	End session

Session Configuration

Sessions are cookie-based with a 7-day expiry:

{
  secret: process.env.SESSION_SECRET,
  resave: false,
  saveUninitialized: false,
  store: MongoStore.create({ mongoUrl }),
  cookie: {
    secure: process.env.NODE_ENV === "production",
    httpOnly: true,
    maxAge: 7 * 24 * 60 * 60 * 1000  // 7 days
  }
}

API Key Auth (WebSocket)

Used by bots to authenticate WebSocket connections.

Flow

Developer generates API key via the dashboard
Key is stored hashed (bcrypt) in the database
Bot connects to WebSocket
Bot sends bot:register with API key
Server validates key against AuthStore
Server verifies bot belongs to the key's developer
Connection marked as authenticated

API Key Format

32 random bytes, base64 encoded
Stored hashed (bcrypt) in the database
Displayed once to the user on creation — cannot be retrieved afterward

Usage

Include your API key in the bot:register message:

{
  "type": "bot:register",
  "botId": "my-bot",
  "name": "MyBot",
  "apiKey": "your-api-key-here",
  "timestamp": 1703001234567
}

Security Notes

API keys are hashed — we never store the raw key
Keys can be revoked from the dashboard
Each key is tied to a single developer account
Bot ownership is verified on registration

Authentication

On this page