Documentation menu

docs

Authentication

How signing in, API keys, and agent connections work, and how they stay separate.

Last updated 2026-07-10

Web sessions

Sign in with Google, GitHub, or a magic link. The session is a signed, HTTP-only cookie. It gates /studio, /brand, and /profile.

API keys

Keys are minted from your account, scoped (read, generate, brand, publish, or *), shown exactly once, and stored only as a hash. Rotate by revoking and minting again.

request header
Authorization: Bearer cadk_your_key_here

Agent connections

Agents never handle a pasted credential. npx cadenza connect starts a device-style grant: your browser (a signed-in human) approves a code, the key is minted server-side and delivered to the agent exactly once. The claude.ai remote connector uses OAuth 2.1 with PKCE and dynamic client registration instead.

Scopes

ScopeGrants
readStory reports, model roster, prompt plans, brand listing
generategenerate_video, refine_shot, extend_sequence, animate_image, staged generation
brandSaving and updating Brand Memory profiles
publishPublish previews and confirmed posting
*Everything above

Note: Least privilege is enforced: a key without generate cannot start billable work, which is covered by live end-to-end tests.

Authentication | Cadenza Docs