docs
Authentication
How signing in, API keys, and agent connections work, and how they stay separate.
Last updated 2026-07-10
Web sessions
Sign in with Google, GitHub, or a magic link. The session is a signed, HTTP-only cookie. It gates /studio, /brand, and /profile.
API keys
Keys are minted from your account, scoped (read, generate, brand, publish, or *), shown exactly once, and stored only as a hash. Rotate by revoking and minting again.
Authorization: Bearer cadk_your_key_hereAgent connections
Agents never handle a pasted credential. npx cadenza connect starts a device-style grant: your browser (a signed-in human) approves a code, the key is minted server-side and delivered to the agent exactly once. The claude.ai remote connector uses OAuth 2.1 with PKCE and dynamic client registration instead.
Scopes
| Scope | Grants |
|---|---|
| read | Story reports, model roster, prompt plans, brand listing |
| generate | generate_video, refine_shot, extend_sequence, animate_image, staged generation |
| brand | Saving and updating Brand Memory profiles |
| publish | Publish previews and confirmed posting |
| * | Everything above |
Note: Least privilege is enforced: a key without generate cannot start billable work, which is covered by live end-to-end tests.