#18. Auth

Let's look at Telepact's auth convention from the client's side.

For the full Telepact auth boundary, including transport extraction, onAuth normalization, browser cookies, and service-to-service credentials, see the Auth Guide.

#Start the demo server

telepact demo-server --port 8000

#Find the auth shapes

From the public schema:

curl -s localhost:8000/api -d '[{}, {"fn.api_": {}}]'

The important user-defined part is:

{
  "union.Auth_": [
    {"Ephemeral": {"username": "string"}},
    {"Session": {"token": "string"}}
  ]
}

That is our hint that auth-related behavior is part of this service's contract.

Now include internal definitions:

curl -s localhost:8000/api -d '[{}, {"fn.api_": {"includeInternal!": true}}]'

Now we also see:

{
  "headers.Auth_": {
    "@auth_": "union.Auth_"
  }
}

and:

{
  "errors.Auth_": [
    {"ErrorUnauthenticated_": {"message!": "string"}},
    {"ErrorUnauthorized_": {"message!": "string"}}
  ]
}

#Call an auth-protected function without auth

curl -s localhost:8000/api -d '[{}, {"fn.logout": {"username": "shared"}}]'
[{}, {"ErrorUnauthenticated_": {"message!": "Valid authentication is required."}}]

#Log in, then send @auth_

Login:

curl -s localhost:8000/api -d '[{}, {"fn.login": {"username": "doc-user"}}]'

Example response:

[{}, {"Ok_": {"token": "nj-tuNyu6XVA7TAtg4RWOA"}}]

Now use that token:

curl -s localhost:8000/api -d '[{"@auth_": {"Session": {"token": "nj-tuNyu6XVA7TAtg4RWOA"}}}, {"fn.logout": {"username": "doc-user"}}]'
[{}, {"Ok_": {}}]

This login/logout pair is specific to the demo server. Other Telepact services can choose different auth policies. The common convention is that caller credentials travel through @auth_, with union.Auth_ as the canonical public schema shape.

Next: 19. Minimum Python client