Getting started

Authentication

Every Polnor API call is authenticated and scoped to a single workspace. There are three kinds of credential, for three kinds of caller.

Access tokens (users)

Exchange email + password for a short-lived bearer token, then send it on every request.

POST /api/v1/auth/login

curl -s https://api.polnor.net/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"you@acme.eu","password":"••••••"}'

# → { "access_token": "eyJ…", "expires_in": 3600 }

Pass it as a header on subsequent calls. Tokens expire after one hour; refresh with POST /api/v1/auth/refresh.

curl https://api.polnor.net/api/v1/compute \
  -H "Authorization: Bearer $TOKEN"

API keys (automation)

For CI and scripts, mint a long-lived API key from the console under Admin → API Keys. Keys carry the same workspace scope and can be revoked at any time. Expired keys are cleaned up automatically 30 days after expiry.

curl https://api.polnor.net/api/v1/jobs \
  -H "Authorization: Bearer polnor_sk_…"

Agent tokens (data plane)

The agent running in your cloud authenticates to the control plane with an agent token, provisioned by Terraform when your namespace is created. It is used only for the outbound WebSocket and never leaves your infrastructure. You don't handle it directly.

Workspace scoping

Errors