Authentication
Bearer-token auth for backend services, CLI credential storage, and OAuth for the web frontend.
Thyme uses three authentication mechanisms across its components.
| Component | Auth method |
|---|---|
| Backend services (definition service, query server) | Bearer token via THYME_API_KEY |
| CLI / Python SDK | Stored credentials at ~/.thyme/credentials |
| Web frontend | OAuth (configurable; GitHub provider by default) |
API: Bearer token
Every backend request (except /health and /metrics) requires:
Authorization: Bearer $THYME_API_KEYInvalid or missing tokens return 401. Your Thyme administrator issues API keys; rotation is handled platform-side.
# Authenticated request
curl -H "Authorization: Bearer $THYME_API_KEY" \
"$THYME_BASE_URL/features?entity_id=user_42&featureset=UserFeatures"CLI: Credential storage
thyme login stores credentials at ~/.thyme/credentials (JSON, file permissions 0600). All subsequent CLI and SDK calls automatically attach the bearer token.
# One-time setup - use the URL and key your administrator gave you
thyme login --url https://thyme.your-company.com --api-key tk_your_key
# Subsequent commands authenticate automatically
thyme commit features.py
thyme status
thyme logsThe THYME_API_KEY environment variable, if set, overrides stored credentials. This is the recommended pattern for CI environments - thyme login for an interactive workstation, THYME_API_KEY env var for CI.
To remove stored credentials:
thyme logoutPriority chain
Credential lookup order, highest priority first:
THYME_API_KEYenvironment variable--api-keyflag passed to the CLI~/.thyme/credentials
Web UI: OAuth
The Thyme web UI uses an OAuth provider for human sign-in; you don't need to manage an API key to use the dashboard. The provider and any organisation-level access controls are configured by your Thyme administrator.