Authentication

Daspire Control API requests use bearer authentication.

Authorization: Bearer <token>

Interactive CLI and MCP usage should use Daspire login. Users should not share third-party system secrets with an AI assistant. Provider credentials are collected through Daspire secure credential entry or OAuth and are referenced by credential_handle.

daspire auth login opens Daspire in the browser and completes a localhost callback to store the user's Daspire session for CLI use. For staging and local development, set DASPIRE_APP_URL and DASPIRE_API_BASE_URL.

Client Source

Automation clients can identify themselves with:

X-Daspire-Client: cli

Supported values are api, cli, and mcp. Daspire records this value in approvals and audit logs.

Sessions

Control API sessions are derived from the authenticated user session token. Daspire stores only a token hash and session metadata. Workspace administrators can inspect sessions with GET /sessions and revoke a session with POST /sessions/{session_id}/revoke.

Credential Handling

Do not put provider passwords, private keys, access tokens, or API keys into prompts. Use the Daspire credential flow and pass the resulting credential_handle to source or destination operations.

Client Source​

Sessions​

Credential Handling​

Client Source

Sessions

Credential Handling