From 501fb2f9965888b515be3f19c526c66ae42983c9 Mon Sep 17 00:00:00 2001 From: brain-marchine <152466993+brain-marchine@users.noreply.github.com> Date: Sun, 12 Jul 2026 17:34:02 +0800 Subject: [PATCH] docs: document admin bearer token guard Fixes #4 --- docs/admin-auth.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 docs/admin-auth.md diff --git a/docs/admin-auth.md b/docs/admin-auth.md new file mode 100644 index 0000000..e8e110f --- /dev/null +++ b/docs/admin-auth.md @@ -0,0 +1,17 @@ +# Admin bearer authentication + +Administrative routes (`/api/v1/admin/*`, pause/unpause, read-only toggles) +require a bearer token matching `ADMIN_TOKEN` (or the configured secret). + +Clients must send: + +``` +Authorization: Bearer +``` + +Missing or invalid tokens receive `401 unauthorized` with the standard +`{ error, message, requestId }` envelope. Never commit production tokens; +use `.env.example` for local development only. + +Write routes for pairs and webhooks use **API keys** instead — see +`docs/api-key-auth.md`.