Overview
The Dashboard Authentication API manages password and two-factor authentication (TOTP) for accessing the Codex-LB web dashboard and management APIs.GET /api/dashboard-auth/session
Get the current dashboard authentication session state.Response
Whether a password has been set up
Whether the current session has verified the password
Whether TOTP 2FA is configured
Whether the current session has verified TOTP
Whether TOTP is required for dashboard access
Example Request
cURL
Example Response
POST /api/dashboard-auth/password/setup
Set up the initial dashboard password. Can only be called once.Request Body
Password to set. Must be at least 8 characters.
Response
Returns session state after successful setup. Setsdashboard_session cookie.
Example Request
cURL
POST /api/dashboard-auth/password/login
Authenticate with the dashboard password.Request Body
Dashboard password
Response
Returns session state after successful login. Setsdashboard_session cookie.
Rate Limiting
Password login is rate-limited to 8 attempts per 60 seconds per IP address.Example Request
cURL
POST /api/dashboard-auth/password/change
Change the dashboard password. Requires active password session.Request Body
Current password for verification
New password to set. Must be at least 8 characters.
Example Request
cURL
DELETE /api/dashboard-auth/password
Remove the dashboard password. Requires active password session.Request Body
Current password for confirmation
Example Request
cURL
POST /api/dashboard-auth/totp/setup/start
Start TOTP (two-factor authentication) setup. Requires active password session.Response
TOTP secret key in base32 format
Data URL for QR code image to scan with authenticator app
Token to use when confirming TOTP setup
Example Request
cURL
Example Response
POST /api/dashboard-auth/totp/setup/confirm
Complete TOTP setup by verifying a code from the authenticator app.Request Body
Setup token from
/totp/setup/start6-digit code from authenticator app
Example Request
cURL
POST /api/dashboard-auth/totp/verify
Verify a TOTP code to complete dashboard login.Request Body
6-digit code from authenticator app
Response
Returns session state after successful verification. Updatesdashboard_session cookie.
Rate Limiting
TOTP verification is rate-limited to 8 attempts per 60 seconds per IP address.Example Request
cURL
POST /api/dashboard-auth/totp/disable
Disable TOTP two-factor authentication. Requires active password session.Example Request
cURL
POST /api/dashboard-auth/logout
Log out and invalidate the current dashboard session.Example Request
cURL
Session Management
Session Cookie
Authenticated sessions are stored in a cookie nameddashboard_session:
- HTTPOnly: Yes (not accessible via JavaScript)
- Secure: Yes (HTTPS only in production)
- SameSite: Lax
- Max-Age: 12 hours (43200 seconds)
- Encryption: AES-256-GCM
Session State
Each session tracks:password_verified- Whether password was authenticatedtotp_verified- Whether TOTP was verified (if enabled)
If TOTP is required (
isTotpRequiredOnLogin: true), both password_verified and totp_verified must be true to access protected endpoints.Error Codes
| Code | Status | Description |
|---|---|---|
authentication_required | 401 | Session invalid or not authenticated |
invalid_credentials | 401 | Password incorrect |
totp_required | 401 | TOTP verification needed |
totp_invalid_code | 400 | TOTP code incorrect |
password_already_configured | 409 | Password already set up |
password_not_configured | 400 | Password not yet configured |
totp_already_configured | 409 | TOTP already enabled |
totp_not_configured | 400 | TOTP not enabled |
rate_limit_exceeded | 429 | Too many failed attempts |
validation_error | 400 | Invalid request (e.g., password too short) |
Authentication Flow
Initial Setup
Login (Password Only)
Login (Password + TOTP)
Related
- Features → Dashboard Auth - Overview and configuration
- Configuration → Environment Variables - Session encryption settings
- API Keys Management - Separate API key authentication