Sherpa authenticates API clients using anDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/tudoumono/Sherpa/llms.txt
Use this file to discover all available pages before exploring further.
HttpOnly session cookie named sherpa_session. After a successful login the server sets this cookie and subsequent requests must include it. The server validates the cookie on every protected endpoint, looks up the session in PostgreSQL, and resolves the caller’s uid and role before processing the request.
Auth Modes
Sherpa has two authentication modes. The active mode is determined at startup from environment variables.Compatibility mode (default)
When
SHERPA_AUTH_ENABLED is not set, all requests are treated as coming from a synthetic admin user. No cookie is checked. This is the default for local development and CI pipelines — it means existing tests and scripts work without any login step.Force compatibility mode at any time with SHERPA_AUTH_DISABLED=1, even if SHERPA_AUTH_ENABLED=1 is present in the environment.Auth mode
Set
SHERPA_AUTH_ENABLED=1 to require authentication. Every non-public endpoint checks the sherpa_session cookie. An unauthenticated request returns 401. Admin-only endpoints additionally require role = admin and return 403 for regular users.In compatibility mode the server never reads or validates any cookie. You can call every endpoint — including admin endpoints — from
curl without any -b flag. Do not run in compatibility mode in production.POST /auth/login
Log in with a username (uid) and password. On success, the server creates a session in PostgreSQL, sets thesherpa_session cookie, and returns the caller’s uid.
Request body
The user’s uid. Must match the slug pattern
^[A-Za-z0-9][A-Za-z0-9._-]{0,63}$.The user’s password in plain text. Transmitted over HTTPS; stored as a pbkdf2 hash server-side.
Responses
true on success.The uid of the authenticated user.
Admin bootstrap
The very first login asadmin is special. If no admin row exists in the database, the server checks whether SHERPA_ADMIN_PASSWORD is set and whether the supplied password matches it. If it does, the admin account is created on the fly (bootstrapped). If SHERPA_ADMIN_PASSWORD is not set, or the password does not match, a generic 401 is returned.
GET /auth/me
Return the current user’s profile. Useful for front-end applications to verify the session and display the logged-in user’s name and role.Responses
The authenticated user’s uid.
Email address, if set.
Human-readable display name, if set.
Either
"admin" or "user".POST /auth/logout
Revoke the current session and clear thesherpa_session cookie. The session record is deleted from PostgreSQL so the token cannot be reused even if an attacker captures it after logout.
Responses
Always
true on a successful logout.Cookie Details
| Property | Value |
|---|---|
| Name | sherpa_session |
HttpOnly | Yes — not accessible from JavaScript |
SameSite | Lax |
Path | / |
Secure | Set when SHERPA_ENV is not dev, development, or empty |
| Max age | SHERPA_SESSION_DAYS × 86400 seconds (default: 7 days) |
secrets.token_urlsafe(). Only the SHA-256 hash of this token is stored in PostgreSQL — the plain token never persists server-side.
Configure session lifetime with the SHERPA_SESSION_DAYS environment variable (default 7):
Using the API from the Command Line
The examples below use a cookie jar file (cookies.txt) to persist the session across requests.
Full Login Flow
POST /auth/login
Send username and password as a JSON body. The server validates the credentials, creates a session, and sets the
sherpa_session cookie in the Set-Cookie response header.Include the cookie on every request
Your HTTP client must send the
sherpa_session cookie on every subsequent request. Browsers do this automatically. CLI tools like curl need a cookie jar (-c / -b). Language SDKs should use a persistent CookieJar or Session object.Check session with GET /auth/me
Optionally verify the session is active and retrieve the current user’s role before making role-sensitive requests.
Error Reference
| HTTP status | Scenario |
|---|---|
401 | No cookie present ("ログインが必要です") or session not found / expired ("セッションが無効です"). |
403 | Logged in but insufficient role — e.g., a user calling an admin-only endpoint ("管理者権限が必要です"). |
500 | Audit-log write failure during login. Sherpa is fail-closed: the session is revoked and a 500 is returned rather than issuing a cookie without an audit record. |