Authentication

rockstar.ninja uses Ed25519 SSH keypair authentication. There are no passwords, no emails, no OAuth providers. Your identity is your keypair.

How it works

Registration

Registration happens automatically the first time you push a session or plan. When no keypair exists:

  1. An Ed25519 keypair is generated locally
  2. The private key is saved to ~/.rn/private.key
  3. The public key (derived from the private key) is sent to the server
  4. The server returns a SHA-256 fingerprint of your public key

This fingerprint is your unique account identifier. You can also register explicitly with rn account register.

Login

When you run rn account login (or any command that needs authentication):

  1. The CLI sends your fingerprint to POST /api/v1/account/challenge
  2. The server generates a random nonce (valid for 5 minutes)
  3. The CLI signs the message rockstar.ninja.v1.auth:{nonce}:{fingerprint} with your private key
  4. The CLI sends the signature to POST /api/v1/account/verify
  5. The server verifies the signature against your registered public key
  6. The server returns a JWT (valid for 24 hours by default)

Token caching

The JWT is stored at ~/.rn/token with permissions 0600. It's refreshed automatically — if a request returns 401, the CLI silently re-authenticates.

Security considerations

  • Your private key is never sent to the server. Only the public key is registered. Authentication proves possession of the private key by signing a challenge.
  • Keep your private key safe. If you lose it, you lose access to your account. There is no recovery mechanism.
  • The JWT is stored in plaintext on disk at ~/.rn/token. It has a limited lifetime (24 hours by default), and the file permissions are restricted to your user.
  • Challenge nonces are single-use and expire after 5 minutes.

Key path

The default key location can be changed in ~/.rn/config.toml:

[auth]
private_key = "~/.rn/private.key"

The ~ prefix is expanded to your home directory. The public key is derived from the private key automatically — no separate file is needed.

Web login

The CLI authentication described above is used for API calls (pushing sessions, managing your account, etc.). To view private content on the website, you need to authenticate your browser separately.

Run rn login to log in:

rn login

This opens your default browser and exchanges a one-time code for a session cookie (rn_session). The browser session lasts 30 days — during that time, you can view your private sessions, plans, and projects directly on the site.

The login code is single-use and expires after 5 minutes. If it expires, run rn login again.

Once logged in, the toolbar shows your @username (or truncated fingerprint if no username is set) along with the session expiry. You can log out at any time via the toolbar button.

Note: rn login is distinct from rn account login. The latter authenticates the CLI itself (obtaining a JWT for API calls). rn login authenticates your browser for viewing content on the website.

← Skill Pull Privacy & Visibility →
rockstar.ninja · docs · privacy