Lore auth guide

date: 2026-06-17
author: Peterino

Mental model

Lore is largely a "bring your own" auth system. you provide your own auth endpoint and issue JWTs. Authorization is then administered differently, deciding what a specific person can access

• Authentication proves the user.
• Authorization proves repository access.
• Repository commands exchange a user token for a repository-scoped token.
• The server verifies JWTs through JWKS, then checks repository resources.

A JWT is a signed bundle of claims such as issuer, audience, expiry, subject, and resource access. A JWKS endpoint publishes the public keys the server uses to verify the JWT signature; the token header's kid selects the key.

Local testing

For local testing if you dont configure anything it will not authorize anything. Maybe ok for internal services or playing around but, need proper auth.

loreserver
curl -i http://127.0.0.1:41339/health_check

Server config

[server.auth]
jwt_issuer = "https://accounts.example.com"
jwt_audience = ["lore-service"]

[server.auth.jwk]
endpoint = "https://accounts.example.com/.well-known/jwks.json"

loreserver --config /etc/lore/config

jwt_issuer and jwt_audience filter iss and aud. The JWKS endpoint supplies public keys by kid. A production environment also needs to advertise an auth URL so clients know where to log in and exchange tokens.

If any of this doesn't quite make sense, have some primary source documentation on what JWTs are. One way to integrate with this type of system is likely to just use openid

JWT/JWKS links

• JWT, RFC 7519: token claims such as iss, sub, aud, and exp.
• JWK/JWKS, RFC 7517: JSON Web Keys and key sets.
• JWS, RFC 7515: signed token structure and headers such as alg and kid.
• OpenID Connect Discovery: provider metadata such as jwks_uri.
• Lore VCS Specification page.: Official spec doc for lore's access model (very dense reading).

Some helpful commands below.

Login

lore auth login lore://server.example.com:41337/project
lore auth login --no-browser lore://server.example.com:41337/project
lore auth login --token-type api-key --token "$TOKEN" --auth-url ucs-auth://auth.example.com
lore auth login --token-type lore --token "$LORE_TOKEN" --auth-url ucs-auth://auth.example.com

Inspect

lore auth list
lore auth info

# Prints secrets.
lore auth list --with-token
lore auth info --with-token

Authorization

Repository tokens must include the repository resource or wildcard resource.

urc-<repository-id>
urc-*

If the JWT is valid but lacks the repository resource, the user is authenticated but not authorized for that repository.

Auth store

Lore stores login tokens by auth URL. Repository authorization tokens are scoped by auth URL plus repository id.

export LORE_AUTH_PATH="$HOME/.config/lore-auth-test"
lore auth login lore://server.example.com:41337/project
lore auth list

Logout

lore auth logout --auth-url ucs-auth://auth.example.com --user-id alice@example.com
lore auth logout --auth-url ucs-auth://auth.example.com --resource project-id
lore auth clear

Check lore auth --help and your server config for exact behavior.