Start a CLI login session

curl --request POST \
  --url https://api.usezombie.com/v1/auth/sessions \
  --header 'Content-Type: application/json' \
  --data '
{
  "public_key": "<string>",
  "token_name": "<string>"
}
'

{
  "session_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "request_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
}

Authentication

Start a CLI login session

Step 1 of the CLI device flow. The CLI generates an ephemeral P-256 ECDH keypair and POSTs the public key plus an operator-facing token_name label. The server allocates a UUIDv7 session_id and stores {cli_public_key, token_name, status: pending, expires_at_ms} in Redis with a 5-minute TTL. The CLI then prints https://app.usezombie.com/cli-auth/{session_id} for the operator to open in their browser.

Unauthenticated; rate-limited at the Cloudflare WAF edge (L2 — 10 / IP / minute on POST /v1/auth/sessions) and Clerk-edge (L1) for sign-in / sign-up traffic upstream.

POST

auth

sessions

Start a CLI login session

curl --request POST \
  --url https://api.usezombie.com/v1/auth/sessions \
  --header 'Content-Type: application/json' \
  --data '
{
  "public_key": "<string>",
  "token_name": "<string>"
}
'

{
  "session_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "request_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
}

Body

application/json

public_key

string

required

Base64url-encoded P-256 SubjectPublicKeyInfo. The CLI's ephemeral ECDH public key — used by the dashboard to derive the AES-256-GCM session key that wraps the JWT.

token_name

string

required

Operator-facing label for the resulting credential (e.g. macos-cli, linux-cli, windows-cli). Printable ASCII; appears in audit events and zombiectl auth status.

Required string length: 1 - 64

Response

Auth session created

session_id

string<uuid>

required

Session identifier for polling. UUIDv7.

request_id

string<uuid>

required

Unique request identifier

Prometheus metrics Poll auth session status