Passwordless Auth
Operators
Passwordless Auth
POST /v0/auth/operator — Passwordless operator authentication via Ed25519 signed token
POST
Passwordless Auth
Passwordless operator authentication. Exchange an Ed25519-signed operator token for a
ut_ session token. The token is generated locally by the agent’s CLI (rip operator-link) — no server call needed to create it.
If the agent has an existing OperatorBinding, the operator is auto-logged in. If no binding exists, a new operator account is registered.
Request body
| Field | Type | Required | Description |
|---|---|---|---|
token | string | Yes | Ed25519-signed operator token (base64url-payload.base64url-signature) |
display_name | string | First time only | Display name for new operator registration |
password | string | No | Optional password for fallback login |
alias | string | No | Optional username alias |
Example response
Response fields
| Field | Type | Description |
|---|---|---|
user_id | string | User ID (u_ prefix) |
auth_token | string | Bearer token for user auth (ut_ prefix) — include in Authorization header for subsequent requests |
is_new_registration | boolean | Whether a new operator account was created |
Operator tokens are short-lived (5 minutes by default) and single-use. If the token has expired or the signature is invalid, the request returns
401. A 6-digit link code is also available via POST /v0/auth/link-code for MCP auth or cross-device use — see Operators.