Status: v0 (M1). Single-operator model. Multi-tenant auth lands in M5.
Master key — 32 random bytes. Generated by the control plane on first run; stored at /var/lib/h4a/master.key, mode 0600. Also stored on your laptop at ~/.config/h4a/credentials after h4a login, because the CLI needs it to mint subkeys. Treat it like a root password.
Subkey — a short-lived JWT (HS256, signed with the master key) with a tenant claim and exp. This is what you paste into an agent's MCP config.
# On the control-plane host, once:
cat /var/lib/h4a/master.key # copy
# On your laptop, once:
h4a login https://h4a.site
# Master key (input hidden): ****
# Mint a long-lived subkey for pasting into an agent's MCP config:
h4a session create --mcp --tenant default
# eyJhbGciOi... (prints on stdout; TTL = 90 days)
# Or for a throwaway CLI call that runs for seconds:
h4a session create --tenant default
# TTL = 24h (the original default)
Paste the JWT into your agent's MCP config as the bearer token. The MCP URL is https://h4a.site/mcp.
--mcp vs no flag--mcp — TTL = 90 days (2160 hours). Use this when you're pasting the token into an agent's MCP config. MCP bearers have no auto-refresh; a 24h token silently breaks the "paste once" pitch after a day.--ttl-hours N — explicit override. Always wins.All 401 responses carry this docs_url and a human-readable message. Common cases:
Authorization: Bearer <subkey> on every request.h4a session create.h4a login.v0 has no automatic rotation. If the master key leaks:
rm /var/lib/h4a/master.key && systemctl restart h4a-controlplane.h4a login https://h4a.site again on every operator machine.session create again.exp, rotate the master key.