Authentication
API Keys
m1nd uses scoped API keys for REST API authentication. Create and manage keys in Settings > API Keys.
Creating an API Key
1
Navigate to Settings > API Keys
2
Click Create API Key
3
Enter a name for the key
Use descriptive names like
grafana-read or ci-deploy4
Select scopes
Only grant the minimum permissions needed
5
Copy the key
It will not be shown again. Store it securely.
Using an API Key
Include the API key in the X-API-Key header:
bash
curl -H "X-API-Key: your-api-key" \
http://localhost:8080/api/monitorspython
import requests
API_KEY = "your-api-key"
BASE = "http://localhost:8080"
# List all monitors
r = requests.get(
f"{BASE}/api/monitors",
headers={"X-API-Key": API_KEY}
)
monitors = r.json()
# Create a monitor
r = requests.post(
f"{BASE}/api/monitors",
headers={"X-API-Key": API_KEY},
json={
"name": "Web Server",
"target": "https://example.com",
"check_type": "http",
"interval": 60,
}
)
print(r.json())javascript
const API_KEY = "your-api-key"
const BASE = "http://localhost:8080"
// List all monitors
const res = await fetch(`${BASE}/api/monitors`, {
headers: { "X-API-Key": API_KEY }
})
const monitors = await res.json()
// Create a monitor
const create = await fetch(`${BASE}/api/monitors`, {
method: "POST",
headers: {
"X-API-Key": API_KEY,
"Content-Type": "application/json"
},
body: JSON.stringify({
name: "Web Server",
target: "https://example.com",
check_type: "http",
interval: 60,
})
})
console.log(await create.json())go
package main
import (
"fmt"
"io"
"net/http"
)
func main() {
client := &http.Client{}
req, _ := http.NewRequest("GET", "http://localhost:8080/api/monitors", nil)
req.Header.Set("X-API-Key", "your-api-key")
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := io.ReadAll(resp.Body)
fmt.Println(string(body))
}Scopes
Each API key can be granted one or more scopes:
| Scope | Permission |
|---|---|
monitors:read | Read monitor data and status |
monitors:write | Create, update, delete monitors |
alerts:read | Read alert history |
alerts:write | Manage alert configurations |
webhooks:read | Read webhook configurations |
webhooks:write | Create, update, delete webhooks |
brain:read | Read Bra1n asset data |
brain:write | Create, update, delete Bra1n assets |
v1sion:read | Read V1sion session data |
v1sion:write | Manage V1sion sessions |
ssh:execute | Execute SSH commands via API |
Error Responses
When authentication fails, m1nd returns:
json
{ "status": "error", "message": "Invalid or missing API key" }| Status | Reason |
|---|---|
401 | Missing or invalid API key / session |
403 | Valid key but insufficient scope |
429 | Rate limit exceeded |
Session Authentication
The web dashboard uses session-based authentication with:
- PBKDF2 password hashing (600,000 iterations)
- Session fixation protection — new session ID on every login
- SameSite=Strict cookies — prevents CSRF
- Rate limiting — authentication endpoints are rate-limited
- Account lockout — 5 failed attempts triggers 15-minute lockout
- 2FA TOTP — optional per-user two-factor authentication
SSE Authentication
Server-Sent Event streams use session cookies. If using API keys for SSE, pass the key as a query parameter:
javascript
const es = new EventSource('/stream?api_key=your-key')
es.onmessage = (e) => {
const data = JSON.parse(e.data)
console.log(data)
}