Authentication
All API requests must be authenticated unless the runtime is started with
dashboard.auth = false (local testing only).
Authentication methods
Bearer token (recommended)
Pass the token in the Authorization header:
Authorization: Bearer <token>
Generate a token with akshi init or set dashboard.token in runtime.toml.
Bearer-token requests are exempt from CSRF requirements.
Dashboard cookie
The dashboard login endpoint sets the akshi_dashboard_token cookie. API
requests using this cookie must also include the CSRF header on mutating
methods (see below).
No authentication (local testing)
Set dashboard.auth = false in runtime.toml. The runtime accepts all
requests without credentials. Never use this in production or on a
network-accessible interface.
CSRF protection
Mutating requests (POST, PUT, PATCH, DELETE) that authenticate via
cookie must include:
X-Akshi-Csrf: <csrf-token>
The CSRF token is returned in the login response and stored in the
akshi_csrf cookie. Bearer-token requests do not require this header.
CORS configuration
The runtime sets CORS headers based on dashboard.cors_origins in
runtime.toml. By default only http://127.0.0.1:3210 is allowed.
[dashboard]
cors_origins = ["https://my-dashboard.example.com"]
Preflight OPTIONS requests are handled automatically.
Rate limiting
Rate limits apply per source IP. Defaults:
| Window | Limit |
|---|---|
| 1 minute | 300 requests |
| Burst | 50 requests |
When exceeded the API returns 429 Too Many Requests with a Retry-After
header. Adjust limits with dashboard.rate_limit and
dashboard.rate_limit_burst in runtime.toml.