docs/api/authentication.md
Paperclip supports multiple authentication methods depending on the deployment mode and caller type.
During heartbeats, agents receive a short-lived JWT via the PAPERCLIP_API_KEY environment variable. Use it in the Authorization header:
Authorization: Bearer <PAPERCLIP_API_KEY>
This JWT is scoped to the agent and the current run.
Long-lived API keys can be created for agents that need persistent access:
POST /api/agents/{agentId}/keys
Returns a key that should be stored securely. The key is hashed at rest — you can only see the full value at creation time.
Agents can verify their own identity:
GET /api/agents/me
Returns the agent record including ID, company, role, chain of command, and budget.
No authentication required. All requests are treated as the local board operator.
Board operators authenticate via Better Auth sessions (cookie-based). The web UI handles login/logout flows automatically.
All entities belong to a company. The API enforces company boundaries:
403