Documentation Index
Fetch the complete documentation index at: https://docs.selftune.dev/llms.txt
Use this file to discover all available pages before exploring further.
Two auth systems
selftune Cloud uses two authentication mechanisms for different access patterns:Dashboard auth (browser)
The web dashboard uses GitHub OAuth:- User clicks “Sign in with GitHub”
- On first login, a user record and default organization are created
- Session is maintained via secure cookies
CLI auth (API keys)
The CLI uses Bearer token authentication with API keys:- Keys are prefixed with
st_live_* - Keys are SHA-256 hashed in the database — only the prefix is stored in clear
- All API requests include
Authorization: Bearer <API_KEY>header
Device code flow
For CLI agents that don’t have browser access (headless servers, CI environments), selftune implements the OAuth 2.0 Device Authorization Grant:- CLI creates a device code:
- CLI displays a user code and verification URL
- User opens browser and visits the verification URL
- User enters the code and approves
- CLI polls for approval:
- On approval, a new API key is generated and returned to the CLI
The raw API key is returned exactly once during the device code flow, then NULLed from the database. Store it securely.
Creating API keys
Via dashboard
- Go to Settings > API Keys
- Click Create API Key
- Copy the key immediately — it won’t be shown again
Via CLI
Roles and permissions
Organizations use a 4-level RBAC hierarchy:| Permission | Viewer | Member | Admin | Owner |
|---|---|---|---|---|
| View skills, evals, sessions | Yes | Yes | Yes | Yes |
| Push data, manage API keys | — | Yes | Yes | Yes |
| Configure alerts, invite members | — | — | Yes | Yes |
| Delete org, change roles, billing | — | — | — | Yes |