Skip to content

Authentication

Kiket supports multiple authentication flows tailored to users, service accounts, extensions, and tooling such as the CLI or MCP server.

Workspace API Tokens (CLI & MCP)

Workspace API tokens are organization-scoped bearer tokens used by the CLI, MCP server, and other first-party tools. Only organization admins can issue them.

Create a token from the UI

  1. Navigate to Settings → API Tokens.
  2. Provide a descriptive name (e.g., “CLI – laptop”).
  3. Select scopes (issues, projects, workflows, analytics, admin) or leave blank for full workspace access.
  4. Optionally set an expiration. Tokens are shown exactly once—copy them into your secret manager immediately.

Manage tokens via API

GET    /api/v1/workspace_api_tokens        # list tokens you can manage
POST   /api/v1/workspace_api_tokens        # create a token (returns `token` once)
DELETE /api/v1/workspace_api_tokens/:id    # revoke a token

Example request:

curl -X POST https://kiket.dev/api/v1/workspace_api_tokens \
  -H "Authorization: Bearer <session_or_token>" \
  -H "Content-Type: application/json" \
  -d '{
        "workspace_api_token": {
          "name": "CLI – laptop",
          "scopes": ["issues:read", "projects"],
          "expires_at": "2025-01-31T23:59:00Z"
        }
      }'

Successful response:

{
  "id": 42,
  "name": "CLI – laptop",
  "scopes": ["issues:read", "projects"],
  "token": "wksp_7d5c9c1a0e8c4f58...", // shown once
  "token_prefix": "wksp_7d5c9c1a",
  "last_used_at": null,
  "owner": { "id": 7, "name": "Avery" }
}

Use the returned token in every API call:

Authorization: Bearer wksp_7d5c9c1a0e8c4f58...

Token scopes

Common scopes mirror CLI/MCP capabilities:

  • issues:read, issues:write
  • projects (includes read/write)
  • comments
  • workflows
  • analytics
  • admin

Scopes follow least privilege—only grant what automation requires.

OAuth 2.0 Client Credentials

  • Use for server-to-server integrations that you host.
  • Register an OAuth application under Organization → Integrations.
  • Token endpoint: https://kiket.dev/oauth/token.
  • Provide client_id, client_secret, and grant_type=client_credentials. Returned tokens carry the scopes you requested.

Extension API Keys

  • Issued automatically during extension installation.
  • Keys are project-scoped and inherit permissions declared in the manifest.
  • Rotate keys from Settings → Extensions or via the /api/v1/extensions/:id/secrets endpoints.

Revocation & Audit

  • Revoke workspace API tokens or OAuth credentials at any time. Revoked tokens stop working immediately.
  • The Settings → API Tokens table shows last used timestamps so you can prune unused credentials.
  • Suspicious usage generates security alerts via email/Slack if configured.

Always keep tokens secret and rotate them regularly to maintain security hygiene.