Auth & catalog
Optional GitHub OAuth via zectre-catalog issues JWTs the cluster API trusts; the dashboard and CLI both consume the same flows.
Two login stories
- Catalog + OAuth (recommended for teams) — Users sign in with GitHub (PKCE). The catalog mints JWTs; the cluster validates them using JWKS.
- Legacy platform login — API key or polling-style login against the cluster API only (
zectre login --legacy-platform-login).
Cluster side
In config.toml, under the [auth] section, set all of these together when using catalog JWTs:
| Key | Role |
|---|---|
catalog_jwks_url | e.g. http://127.0.0.1:47100/.well-known/jwks.json |
jwt_expected_iss | Issuer the catalog puts in tokens |
jwt_expected_aud | Audience the API expects (often aligned with [api].public_url) |
Catalog side
The catalog needs a Postgres database, GitHub OAuth application, and public URL for callbacks (e.g. http://127.0.0.1:47100/oauth/github/callback in dev).
CLI
Set ZECTRE_CATALOG_URL (or catalog_url in config) so zectre login opens the browser flow. Use ZECTRE_JWT_AUDIENCE if the audience claim must differ from the default.
Dashboard
With VITE_CATALOG_URL set, signed-in users drive API calls from the catalog-selected cluster target (see Dashboard), not necessarily from VITE_API_URL alone.
Details for operators live in the platform repo’s docs/AUTH_CATALOG.md; this page is the product-level map. For command-level flags, see Authentication.