Skip to content
LoomBrain

API Authentication

The LoomBrain API supports two authentication methods.

Bearer tokens (JWT)

Section titled “Bearer tokens (JWT)”

Obtained via OAuth (Google) or magic link login. Access tokens expire after 15 minutes; refresh tokens last 30 days.

Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

Refreshing tokens

Section titled “Refreshing tokens”
POST /api/v1/auth/refresh
Content-Type: application/json


{
  "refresh_token": "your-refresh-token"
}

Response:

{
  "access_token": "new-access-token",
  "refresh_token": "new-refresh-token",
  "expires_in": 900
}

The CLI and MCP server handle token refresh automatically.

API keys

Section titled “API keys”

Generate API keys in the dashboard under Settings > API Keys. API keys don’t expire but can be revoked at any time.

Authorization: ApiKey lbk_abc123.secret456

API keys use HMAC verification. The key format is {key_id}.{secret}.

Managing API keys

Section titled “Managing API keys”

List keys:

GET /api/v1/auth/api-keys

Create a key:

POST /api/v1/auth/api-keys
Content-Type: application/json


{
  "name": "my-integration"
}

The raw key is returned only on creation. Store it securely.

Revoke a key:

DELETE /api/v1/auth/api-keys/:id

Environment variables

Section titled “Environment variables”

For CLI and scripts, you can set:

VariablePurpose
LB_TOKENAPI key for authentication — accepts API keys only, not JWT tokens (skips OAuth login)
LB_API_URLOverride the API base URL