How Auth Works

Frona AI uses JWT-based authentication. Users register with a username and password, and the platform issues access and refresh tokens.

Auth flow

1. User registers or logs in via the API
2. The server returns an access token and sets a refresh token in a secure, httponly cookie
3. The access token is included in subsequent requests
4. When the access token expires, the client uses the refresh token to get a new one

Token types

Token	Lifetime	Delivery
Access token	15 minutes	Response body / Authorization header
Refresh token	7 days	Secure, httponly cookie

Authentication methods

The API accepts authentication through several mechanisms:

• Authorization header: Authorization: Bearer <access_token>
• Cookie: the refresh token cookie is set automatically during login
• Query parameter: ?token=<jwt> (useful for SSE connections and WebSocket URLs)

API endpoints

Endpoint	Description
POST /api/auth/register	Create a new account
POST /api/auth/login	Log in and get tokens
POST /api/auth/logout	Invalidate the current session
POST /api/auth/refresh	Get a new access token
GET /api/auth/me	Get the current user’s profile
PUT /api/auth/username	Update your username

Personal access tokens

You can create personal access tokens (PATs) for programmatic API access. These are long-lived tokens that don’t expire like regular access tokens.

Endpoint	Description
GET /api/auth/tokens	List your PATs
POST /api/auth/tokens	Create a new PAT
DELETE /api/auth/tokens/{id}	Revoke a PAT

Rate limiting

Auth endpoints are rate-limited to 5 requests per second with a burst capacity of 10. This applies per IP address.

Security

• Passwords are hashed with Argon2
• Secrets and sensitive data are encrypted with AES-GCM
• The encryption secret (FRONA_AUTH_ENCRYPTION_SECRET) must be changed from the default in production

See JWT Details for more on token handling, and SSO for single sign-on configuration.