Authentication
Tokens are configured in the seed config and map to users. Pass them as Authorization: Bearer or Authorization: token .
Vercel
All endpoints accept teamId or slug query params for team scoping. Pagination uses cursor-based limit/since/until with pagination response objects.
curl -H "Authorization: Bearer <token>" \
http://localhost:4000/v2/userGitHub
Public repo endpoints work without auth. Private repos and write operations require a valid token. Pagination uses page/per_page with Link headers.
tokens:
gho_test_token_admin:
login: admin
scopes:
- repo
- user
- admin:org
- admin:repo_hook
gho_test_token_user1:
login: octocat
scopes:
- repo
- userUse the token in requests:
curl -H "Authorization: Bearer gho_test_token_admin" \
http://localhost:4001/userGitHub Apps (JWT)
For GitHub App authentication, sign a JWT with { iss: " using the app's private key (RS256). The emulator verifies the signature and resolves the app.
Then create an installation access token:
curl -X POST \
-H "Authorization: Bearer <jwt>" \
http://localhost:4001/app/installations/100/access_tokensThe returned token can be used for API calls scoped to that installation's permissions.
Google OAuth
The Google emulator uses the standard OAuth 2.0 authorization code flow. Configure clients in the seed config and use them with your OAuth library of choice. The OIDC discovery document is available at /.well-known/openid-configuration.
curl http://localhost:4002/.well-known/openid-configurationSlack OAuth
The Slack emulator supports OAuth v2 with a user picker UI. Configure OAuth apps in the seed config for strict client validation. Point your Slack SDK at the emulator URL:
import { WebClient } from '@slack/web-api'
const client = new WebClient(token, {
slackApiUrl: 'http://localhost:4003/api/',
})All Web API endpoints require Authorization: Bearer .
Apple Sign In
The Apple emulator provides OIDC discovery, JWKS, and a full authorization code flow with RS256 ID tokens. Point your app at the emulator's endpoints:
curl http://localhost:4004/.well-known/openid-configurationOn first authorization per user/client pair, a user JSON blob is included in the callback (matching real Apple behavior).
Microsoft Entra ID
The Microsoft emulator supports OIDC discovery, authorization code flow, PKCE, and client credentials grants. It also provides a Microsoft Graph /v1.0/me endpoint.
curl http://localhost:4005/.well-known/openid-configurationSupports Authorization: Basic header with base64-encoded client_id:client_secret as an alternative to body parameters.
Foundry OAuth
The Foundry emulator supports authorization code, PKCE with S256, refresh token rotation, and client credentials. The token endpoint expects application/x-www-form-urlencoded.
curl -X POST http://localhost:4000/multipass/api/oauth2/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=foundry-web&\
client_secret=foundry-secret&\
grant_type=client_credentials&\
scope=api:admin-read"For browser flows, redirect users to /multipass/api/oauth2/authorize with client_id, redirect_uri, response_type=code, scope, state, and optional PKCE parameters.
GET /api/v2/admin/users/getCurrent requires Authorization: Bearer and the api:admin-read scope.
AWS
Pass tokens as Authorization: Bearer . Scoped permissions use s3:*, sqs:*, iam:*, sts:* patterns.
curl http://localhost:4006/s3/ \
-H "Authorization: Bearer test_token_admin"For the AWS SDK, use IAM access key credentials. A default key pair is always seeded: AKIAIOSFODNN7EXAMPLE / wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.