CLI Machine-ID Token

Was this page helpful?

token sent via the `request header.`
, , etc.) to call management endpoints without requiring the user to supply a JWT or password on every invocation. reads the hardware machine ID via (falls back to an empty string on failure, disabling CLI auth). and returns the full 64-char hex digest — a deterministic, non-reversible token tied to this machine. on every request to . ) recomputes the expected token with the same salt and compares via to prevent timing-based extraction. Loopback-only is , , or . Constant-time compare prevents timing attacks. Non-reversible No -protected bypass is evaluated before the CLI token check. and always require JWT. Non-exportable to rotate the derived token without code changes. After rotation, all CLI processes on this machine will use the new token automatically. Useful after a process-list leak that may have exposed the previous derived value. # Persistent rotation (add to shell profile) export OMNIROUTE_CLI_SALT="my-secret-salt-2026" # Verify new token is in use omniroute status ) constant ) — route protection tiers — full authorization pipeline


Loopback-only	is `, , or .`
Constant-time compare	prevents timing attacks.
Non-reversible
No `-protected bypass`	is evaluated before the CLI token check. `and always require JWT.`
Non-exportable

Was this page helpful?

arrow_backReasoning Replay CacheCLI Machine-ID Token Authenticationarrow_forward