API Authentication
The LoomBrain API supports two authentication methods.
Bearer tokens (JWT)
Section titled “Bearer tokens (JWT)”Obtained via OAuth (Google) or magic link login. Access tokens expire after 15 minutes; refresh tokens last 30 days.
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...Refreshing tokens
Section titled “Refreshing tokens”POST /api/v1/auth/refreshContent-Type: application/json
{ "refresh_token": "your-refresh-token"}Response:
{ "access_token": "new-access-token", "refresh_token": "new-refresh-token", "expires_in": 900}The CLI and MCP server handle token refresh automatically.
API keys
Section titled “API keys”Generate API keys in the dashboard under Settings > API Keys. API keys don’t expire but can be revoked at any time.
Authorization: ApiKey lbk_abc123.secret456API keys use HMAC verification. The key format is {key_id}.{secret}.
Managing API keys
Section titled “Managing API keys”List keys:
GET /api/v1/auth/api-keysCreate a key:
POST /api/v1/auth/api-keysContent-Type: application/json
{ "name": "my-integration"}The raw key is returned only on creation. Store it securely.
Revoke a key:
DELETE /api/v1/auth/api-keys/:idEnvironment variables
Section titled “Environment variables”For CLI and scripts, you can set:
| Variable | Purpose |
|---|---|
LB_TOKEN | API key for authentication — accepts API keys only, not JWT tokens (skips OAuth login) |
LB_API_URL | Override the API base URL |