Token Auth
Use token auth when your app should send Authorization: Bearer <token> on every request instead of raw user/password credentials.
KalamDB supports two token sources:
- internal JWTs returned by
POST /v1/api/auth/login - external OIDC JWTs from trusted issuers such as Firebase or Keycloak
Internal Token Flow
The built-in login flow is:
- Send user and password to
POST /v1/api/auth/login. - Receive
access_tokenandrefresh_token. - Send the access token on API and WebSocket requests.
- Refresh it through
POST /v1/api/auth/refreshwhen needed.
Login
curl -X POST http://127.0.0.1:2900/v1/api/auth/login \ -H 'Content-Type: application/json' \ -d '{"user":"admin","password":"AdminPass123!"}'Typical response fields:
access_tokenrefresh_tokenexpires_ator token-expiry metadata- authenticated user profile fields
Use the access token
TOKEN="<access_token>" curl -X POST http://127.0.0.1:2900/v1/api/sql \ -H "Authorization: Bearer $TOKEN" \ -H 'Content-Type: application/json' \ -d '{"sql":"SELECT CURRENT_USER();"}'Refresh Tokens
REFRESH="<refresh_token>" curl -X POST http://127.0.0.1:2900/v1/api/auth/refresh \ -H "Authorization: Bearer $REFRESH"Use the returned access token for subsequent requests.
Checking Auth State
There are two practical checks:
Check the current authenticated user
curl http://127.0.0.1:2900/v1/api/auth/me \ -H "Authorization: Bearer $TOKEN"This confirms whether the token is accepted and shows the current user record.
Check from SQL
curl -X POST http://127.0.0.1:2900/v1/api/sql \ -H "Authorization: Bearer $TOKEN" \ -H 'Content-Type: application/json' \ -d '{"sql":"SELECT CURRENT_USER();"}'This is the fastest way to confirm the runtime identity that SQL sees.
External Provider Tokens
If you already have a JWT from Firebase, Keycloak, or another trusted OIDC issuer, skip the login endpoint and send that token directly as a bearer token.
KalamDB will:
- read
algandiss - reject untrusted issuers
- perform OIDC discovery for the issuer
- fetch and cache the issuer JWKS
- validate the token signature and claims
- resolve or create the matching local user
Provider setup details live in:
SDK Pattern
For long-lived apps, return a fresh token from the SDK auth provider callback instead of hard-coding a token once.
TypeScript
import { Auth, createClient, type AuthProvider } from '@kalamdb/client'; const authProvider: AuthProvider = async () => { const token = await myApp.getOrRefreshJwt(); return Auth.jwt(token);}; const client = createClient({ url: 'https://db.example.com', authProvider,});Dart
final client = await KalamClient.connect( url: 'https://db.example.com', authProvider: () async { final token = await myApp.getOrRefreshJwt(); return Auth.jwt(token); },);Configuration Notes
Internal token auth still depends on a strong shared secret:
[authentication]jwt_secret = "replace-with-strong-random-secret-32-plus-chars"cookie_secure = trueUse KALAMDB_JWT_SECRET in production instead of committing secrets to server.toml.