Vaulx uses server-side session cookies — not API keys or JWTs. When youDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/noelzappy/vaulx/llms.txt
Use this file to discover all available pages before exploring further.
POST valid credentials to /auth/login, the server creates a session record in PostgreSQL and sends a vaulx-session cookie back to the client. Every subsequent request to a protected route must include that cookie. There is no token-based alternative; if the cookie is absent or the session is invalid, the server redirects you to /auth/login.
Login Flow
Submit credentials
POST your credentials as a URL-encoded form body. On success, the server sets the vaulx-session cookie and issues a 302 Found redirect to /files.The email address associated with the user account.
The account password. Verified against a bcrypt hash stored in the database.
Session Cookie
After a successful login, the server writes a cookie with the following attributes — sourced directly fromsessionStore.Options in cmd/server/main.go:
| Attribute | Value | Notes |
|---|---|---|
| Name | vaulx-session | Fixed cookie name used by the gorilla/sessions store |
| Path | / | Cookie is sent on all paths |
| MaxAge | 604800 seconds (7 days) | Session expires one week after login |
| HttpOnly | true | Not accessible via JavaScript document.cookie |
| SameSite | Lax | Sent on top-level navigations; protects against most CSRF |
| Secure | true | Only sent over HTTPS connections |
Cookie Backend
Session data is stored in PostgreSQL viapgstore — the cookie itself contains only a session ID, not any user data. The store runs a background cleanup goroutine every 5 minutes to purge expired sessions from the database.
Session Values
Once authenticated, the following values are written into the server-side session record and loaded into the request context on every protected request:| Key | Type | Description |
|---|---|---|
user_id | string (UUID) | Unique identifier of the authenticated user |
role | string | User’s role — admin or editor |
email | string | User’s email address |
name | string | User’s display name |
UserContext struct (defined in internal/auth/context.go):
auth.GetCurrentUser(r.Context()).
Access Control
Two helper functions ininternal/auth/acl.go govern what an authenticated user may do:
admin— full access to all resources and all admin routes under/admin/.editor— can create and modify resources they own.- Any other role — read-only access to owned resources.
Logout
SendingPOST /auth/logout sets the session’s MaxAge to -1, which instructs the browser to immediately expire the cookie, and then redirects to /auth/login.
curl Walkthrough
The following end-to-end example logs in, lists files, and then logs out:Error Responses
| Scenario | HTTP status | Behaviour |
|---|---|---|
| Wrong email or password | 401 Unauthorized | Re-renders the login page with the message “Invalid email or password” |
| Protected route accessed without a session cookie | 302 Found | Redirects to /auth/login |
| Session cookie present but session record is new/invalid | 302 Found | Redirects to /auth/login |
| Authenticated but insufficient role for an admin route | 403 Forbidden | Returns a 403 HTML error page |
On a
401 response the login page is re-rendered with an inline error message: "Invalid email or password". No JSON error body is returned.