Authentication

rockstar.ninja uses Ed25519 SSH keypair authentication. There are no passwords, no emails, no OAuth providers. Your identity is your keypair.

How it works

Registration

Registration happens automatically the first time you push a session or plan. When no keypair exists:

1. An Ed25519 keypair is generated locally
2. Keys are saved to ~/.rn/private.key and ~/.rn/public.key
3. The public key is sent to the server
4. The server returns a SHA-256 fingerprint of your public key

This fingerprint is your unique account identifier. You can also register explicitly with rn account register.

Login

When you run rn account login (or any command that needs authentication):

1. The CLI sends your fingerprint to POST /api/v1/account/challenge
2. The server generates a random nonce (valid for 5 minutes)
3. The CLI signs the message rockstar.ninja.v1.auth:{nonce}:{fingerprint} with your private key
4. The CLI sends the signature to POST /api/v1/account/verify
5. The server verifies the signature against your registered public key
6. The server returns a JWT (valid for 24 hours by default)

Token caching

The JWT is stored at ~/.rn/token with permissions 0600. It's refreshed automatically — if a request returns 401, the CLI silently re-authenticates.

Security considerations

• Your private key is never sent to the server. Only the public key is registered. Authentication proves possession of the private key by signing a challenge.
• Keep your private key safe. If you lose it, you lose access to your account. There is no recovery mechanism.
• The JWT is stored in plaintext on disk at ~/.rn/token. It has a limited lifetime (24 hours by default), and the file permissions are restricted to your user.
• Challenge nonces are single-use and expire after 5 minutes.

Key paths

The default key locations can be changed in ~/.rn/config.toml:

[auth]
private_key = "~/.rn/private.key"
public_key = "~/.rn/public.key"

The ~ prefix is expanded to your home directory.