authsome run -- <command>— recommended. The proxy injects credentials without exposing secrets to the child process.authsome export <provider> --format env— when the tool cannot route through an HTTP proxy.- Daemon HTTP API — when you are building tooling that talks to the local daemon over PoP-authenticated HTTP.
The CLI plus proxy covers almost every workflow. Drop to export or the HTTP API only when embedding authsome in custom orchestration or non-Python runtimes. See Run agents with the proxy.
Install
Quick start (proxy)
Quick start (export)
Quick start (daemon HTTP API)
The CLI and proxy both call the daemon athttp://127.0.0.1:7998/api/... with PoP JWT authentication. Every protected request carries Authorization: PoP <jwt> signed by the local Ed25519 identity key.
src/authsome/cli/client.py in the repository — that client is the reference implementation.
Public package exports
The top-levelauthsome package re-exports models, errors, and the Vault interface for tests and advanced embedding:
CredentialService (the daemon’s credential lifecycle coordinator) lives in authsome.server and is constructed by the daemon’s dependency injection layer. It is not a supported public embedding API.
Vault
A minimal encrypted key-value interface. Credential records are stored under keys likevault:<vault_id>:<provider>:connection:<name>. Direct vault access is rare outside tests:
Errors
All exceptions subclassAuthsomeError. Common ones:
| Exception | When |
|---|---|
ProviderNotFoundError | Unknown provider name |
ConnectionNotFoundError | Requested connection doesn’t exist |
CredentialMissingError | Provider registered but no completed connection |
RefreshFailedError | Provider rejected the refresh token |
TokenExpiredError | Token expired and refresh wasn’t possible |
AuthenticationFailedError | Login flow failed or was cancelled |
IdentityNotFoundError | Identity handle not registered with the daemon |
StoreUnavailableError | Vault or store unreachable |
When to use which surface
| Use the proxy | Use export | Use the HTTP API |
|---|---|---|
| Python/Node/any HTTP agent | SDKs that ignore proxies | Custom tooling on top of authsome |
| Secrets must not appear in env | Short-lived shell sessions | Non-Python orchestrators |
| Default for new integrations | TLS-pinned SDKs | Dashboards and automation |
What’s next
Architecture
Identity, Vault, Principal, and the daemon.
HTTP daemon API
Every route the daemon exposes.