CLI Authentication
Learn how the BugSpark CLI authenticates with the API using Personal Access Tokens (PATs).
How It Works
┌─────────────┐ bsk_pat_... ┌──────────────┐ SHA-256 ┌──────────┐
│ BugSpark │ ──────────────→ │ BugSpark │ ──────────→ │ Database │
│ CLI │ Authorization: │ API │ hash match │ │
│ │ Bearer token │ │ │ │
└─────────────┘ └──────────────┘ └──────────┘- You create a PAT in the Dashboard (or via the
bugspark loginflow) - The CLI stores the token locally at
~/.bugspark/config.json - Every API request includes the token in the
Authorization: Bearerheader - The API hashes the token with SHA-256 and matches it against the database
- If valid, the request proceeds as the token owner
Personal Access Tokens (PATs)
PATs are long-lived authentication credentials designed for CLI and API automation.
Token Format
bsk_pat_a1b2c3d4e5f6g7h8i9j0...- Prefix:
bsk_pat_— allows quick identification - Body: Cryptographically random string (32+ characters)
- The full token is only shown once at creation time
Security Model
| Feature | Detail |
|---|---|
| Storage | Only the SHA-256 hash is stored in the database |
| Lookup | The prefix bsk_pat_ + first 8 chars are indexed for fast lookup |
| Permissions | A PAT has the same permissions as the user who created it |
| Expiry | Optional — can be set to never expire or any future date |
| Revocation | Instant — delete the token from Settings and it stops working immediately |
How Tokens Are Verified
When the API receives a request with Authorization: Bearer bsk_pat_...:
- Extract prefix — the first 16 characters (e.g.
bsk_pat_a1b2c3d4) - Database lookup — find token records matching this prefix
- Hash comparison — SHA-256 hash the full token and compare with stored hash
- Validate expiry — reject if the token has expired
- Update last used — record the timestamp for audit purposes
- Return user — attach the token owner to the request context
Local Config File
The CLI stores your credentials at:
~/.bugspark/config.jsonContents:
{
"apiUrl": "https://bugspark-api.onrender.com/api/v1",
"token": "bsk_pat_a1b2c3d4..."
}Security
- File permissions are set to
0600(read/write only for your user) - The token is stored in plaintext (same approach as Docker, Vercel, and Sentry CLIs)
- Run
bugspark logoutto delete the config file
Best practices
Create a dedicated PAT for each machine or CI environment. This way, you can revoke access for a single device without affecting others.
Managing Tokens
In the Dashboard
Go to Settings → Personal Access Tokens to:
- Create new tokens with custom names and expiry dates
- View all tokens — see name, prefix, last used date, and expiry
- Revoke tokens that are no longer needed
Via the API
You can also manage tokens programmatically:
/api/v1/tokensCreate a new Personal Access Token
{
"name": "CI Pipeline Token",
"expires_in_days": 90
}Returns the full token (only shown once):
{
"id": "uuid",
"name": "CI Pipeline Token",
"token": "bsk_pat_a1b2c3d4...",
"prefix": "bsk_pat_a1b2c3d4",
"expires_at": "2026-05-10T00:00:00Z",
"created_at": "2026-02-09T00:00:00Z"
}/api/v1/tokensList all your tokens (token values are NOT returned)
/api/v1/tokens/{id}Revoke a token
Comparison with Other Auth Methods
| Method | Used By | Best For |
|---|---|---|
| Cookies (JWT) | Dashboard (browser) | Interactive web sessions |
API Key (X-API-Key) | Widget | Submitting bug reports from client-side |
PAT (Bearer) | CLI, CI/CD, scripts | Automation and programmatic access |
CSRF Protection
PAT-authenticated requests automatically bypass CSRF validation since they don't use cookies. This makes them safe for use in scripts and CI/CD pipelines.
Next Steps
- CLI Commands — Full command reference
- API Authentication — Other authentication methods
- Widget Installation — Set up the widget