The Telescope Net API uses three distinct authentication schemes depending on who is making the request. Node agents use a long-lived API key pair obtained at first-boot registration. Members and app users authenticate with rotating bearer tokens issued at login. Administrators use a single shared key configured server-side. None of these schemes use OAuth or session cookies — all credentials are passed as HTTP headers on every request.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/ManiFed/TTN/llms.txt
Use this file to discover all available pages before exploring further.
Node authentication
Node agents authenticate every API call (except initial registration) using two headers sent together:| Header | Value |
|---|---|
X-Node-Id | Unique identifier assigned at registration, e.g. node_a3f9b2c1 |
X-Api-Key | Secret key assigned at registration |
Obtaining node credentials
Node credentials are issued once during first-boot registration. The node sends itsactivation_code (obtained from the member app or an admin-generated bulk code) along with its hardware details to POST /api/v1/nodes/register. The server validates the code, creates a node record, and returns the node_id and api_key.
The node agent persists these credentials to data/cloud_state.json on the local filesystem. On every subsequent startup the agent reads this file and uses the stored credentials — it never needs to re-register unless the state file is deleted.
Activation codes follow the format
BS-YYYY-XXXXXXXX (e.g. BS-2026-ABCD1234). Each code is single-use and is marked consumed on the server the moment registration succeeds. Possession of the code allows recovering the same credentials within a 15-minute retry window in case the registration response was lost in transit.Example
Member authentication
Members and app users authenticate with a bearer token obtained by logging in. The token is passed on every authenticated request in theAuthorization header.
Security model
Passwords are hashed server-side using PBKDF2-HMAC-SHA256 with a per-user random salt and 260,000 iterations — comfortably above the OWASP 2024 minimum. Bearer tokens are random 32-byte URL-safe strings (secrets.token_urlsafe(32)) stored as SHA-256 hashes; the plaintext token is never persisted.
Each successful login issues a new token, invalidating the previous one. There is no refresh flow — clients that receive a 401 should prompt the user to log in again.
Registration and login flow
Using the token
Pass the token from the login response in every subsequent member request:Generating an activation code for node registration
Once logged in, a member generates a personal activation code to link a new node to their account. The code expires after 30 days.location_name is geocoded via Nominatim and stored with the code so that the node automatically receives coordinates at registration even if it has not yet configured them locally. The telescope_model seeds the hardware spec defaults.
Admin authentication
Admin endpoints are protected by a single shared secret passed in theX-Admin-Key header on every request. The key is set in cloud/config.yaml under server.admin_key and compared with a constant-time comparison to prevent timing attacks.