Authentication

Orstrum Cloud signs in exclusively through GitHub OAuth — there is no email/password path. The CLI opens a browser for the OAuth flow and stores the resulting session locally.

JWT anatomy

After sign-in, a Custom Access Token Hook enriches the JWT app_metadata with your workspace context:


  "sub": "<user-uuid>",
  "app_metadata": 
    "workspace_id":   "<uuid>",
    "workspace_role": "member",   // owner | admin | member
    "plan":            "individual"
  

The workspace_id claim is used by every Postgres RLS policy. It is set server-side and cannot be forged by the client.

CLI credentials

orstrum login stores the access token and refresh token in ~/.orstrum/credentials.json. Tokens are refreshed automatically before expiry. You should only need to log in once per machine.

API keys

For CI environments or shared integrations, generate API keys in the dashboard. API keys act as long-lived tokens scoped to your workspace. Only the SHA-256 hash of each key is stored — the raw key is shown once at creation and is not recoverable afterward.