API authentication

SellTraces has two user authentication modes for public API routes.

Bearer tokens

CLI and machine clients authenticate with:

Authorization: Bearer <token>

Bearer tokens can come from:

CLI device login through POST /api/cli/device/start and GET /api/cli/device/poll

Browser session cookies

Browser flows authenticate with the Better Auth session cookie:

better-auth.session_token=<session>

Dashboard pages, upload pages, and browser-driven API calls use this session path.

Auth modes by endpoint

Auth mode	Meaning
`none`	Public route or pre-auth flow
`cookie`	Signed-in browser session required
`bearer`	Machine bearer token required
`cookie-or-bearer`	Either a signed-in browser session or bearer token

Start a device login:

POST /api/cli/device/start
Content-Type: application/json

{
  "machine": "michaels-macbook"
}

Poll until the browser approval completes:

GET /api/cli/device/poll?deviceCode=<deviceCode>

Pending polls return 202; approved polls return 200 with a bearer token. Check the current authenticated CLI session:

GET /api/cli/session
Authorization: Bearer <token>

Valid sessions return 200 with the authenticated userId; missing or expired credentials return 401.

Better Auth delegation

/api/auth/{path} is delegated to Better Auth. SellTraces owns the mount and route coverage, while Better Auth owns the internal auth sub-route contracts. Generated reference pages cover the GET delegate and POST delegate.

​API authentication

​Bearer tokens

​Browser session cookies

​Auth modes by endpoint

​Device login endpoints

​Better Auth delegation

API authentication

Bearer tokens

Browser session cookies

Auth modes by endpoint

Device login endpoints

Better Auth delegation