openclaw/crabbox
openclaw/crabbox
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 9 Wiki Activity
v0.1.0
crabbox/docs/features/auth-admin.md
Peter Steinberger 4957aba8a1
docs: document lease slugs and idle timeout
2026-05-01 08:01:00 +01:00

1.2 KiB
Raw Permalink Blame History

Auth And Admin

Read when:

  • changing broker login or identity;
  • changing trusted operator controls;
  • debugging who owns a lease or run.

Crabbox currently supports bearer-token broker auth. crabbox login stores the broker URL, provider, and token in the user config, then verifies the token with GET /v1/whoami. It is not yet a GitHub browser OAuth flow.

Identity sent to the coordinator:

Cloudflare Access email, when present
X-Crabbox-Owner from CRABBOX_OWNER, Git email env, or git config user.email
X-Crabbox-Org from CRABBOX_ORG
CRABBOX_DEFAULT_ORG fallback in the Worker

Commands:

crabbox login --url <url> --token-stdin
crabbox whoami
crabbox logout

Trusted operator controls:

crabbox admin leases --state active
crabbox admin release blue-lobster
crabbox admin delete cbx_... --force

Admin commands use the same coordinator token as normal broker calls. Do not distribute the shared token to untrusted users. A future access-control pass should split operator and user tokens before Crabbox is opened beyond trusted maintainers.

Related docs: