Authentication
Orstrum Cloud signs in exclusively through GitHub OAuth — there is no email/password path. The CLI opens a browser for the OAuth flow and stores the resulting session locally.
JWT anatomy
After sign-in, a Custom Access Token Hook enriches the JWT app_metadata
with your workspace context:
"sub": "<user-uuid>",
"app_metadata":
"workspace_id": "<uuid>",
"workspace_role": "member", // owner | admin | member
"plan": "individual"
The workspace_id claim is used by every Postgres RLS policy. It is set
server-side and cannot be forged by the client.
CLI credentials
orstrum login stores the access token and refresh token in
~/.orstrum/credentials.json. Tokens are refreshed automatically before
expiry. You should only need to log in once per machine.
API keys
For CI environments or shared integrations, generate API keys in the dashboard. API keys act as long-lived tokens scoped to your workspace. Only the SHA-256 hash of each key is stored — the raw key is shown once at creation and is not recoverable afterward.