Authentication
Therig CLI is the primary way to authenticate. Run rig login once and every subsequent command (including raw rig api calls) reuses your stored credentials — no headers to manage.
Log in with the CLI
API keys
For backend services, CI, or agents, mint a long-lived API key. API keys (rb_…) are full-account credentials, shown once at creation and stored hash-only. Create one from the dashboard under Settings → API Keys, or with the CLI:
rb_ prefix in a Bearer header:
Raw API access
To hit any endpoint directly without managing headers, userig api. It reuses your stored credentials and sends an authenticated request:
Bearer tokens (JWT)
If you authenticate through the dashboard login flow, you receive a short-lived JWT. The dashboard handles refresh automatically — for terminal use, preferrig login (which manages the token for you) or an API key for non-interactive clients.
CLI session approval (rig login)
When you run rig login on your local machine, the CLI walks you through a browser-approval device flow rather than asking for credentials at the prompt. The flow uses three endpoints:
The approval step rotates a single canonical
"CLI login" API key: any prior CLI-login key on your account is revoked before a fresh one is issued. The new key is returned to the polling CLI and written to ~/.rigbox/config.json. This matches what gcloud auth login, aws sso login, and kubectl auth login do — a fresh login means a fresh credential, and the previous credential is invalidated on every other machine that was using it.
If you want a long-lived key that survives re-logging in (e.g. for a CI runner or a second laptop), create it explicitly under Settings → API Keys instead of relying on the
rig login slot.Dashboard session tokens
The Rigbox frontends (rigbox.dev, clawd.rigbox.dev, sandbox.rigbox.dev) handle authentication automatically. Session tokens are managed by the dashboard - no extra setup needed for first-party UIs.
Choosing an auth method
Public endpoints
These endpoints do not require authentication:GET /capacity- check platform availabilityGET /templates- list available workspace templates
Private app authentication (X-Rigbox-Key)
When an app’s visibility is set to private or privileged, requests from outside the workspace must include anX-Rigbox-Key header. This is separate from the Authorization header used for the main API.
Any valid API key (rb_*) will work as the value:
<APP_NAME> with the name of your app (the value you passed to rig app new or the app create endpoint).
Requests made from inside the workspace (e.g. between services on
localhost) do not need this header. It is only required for requests arriving from the public internet.