Skip to main content
The Security API allows users to protect their Rexec account with an additional passcode layer and configure screen lock behavior.

Overview

Rexec provides screen-level security features:
  • Screen Lock: Auto-lock after inactivity
  • Passcode Protection: 6-digit PIN for unlocking
  • Single Session Mode: Prevent concurrent logins
  • Terminal MFA Lock: Lock individual terminals with MFA
Screen lock is separate from MFA. It’s a lightweight protection for shared workstations.

Get security settings

GET /api/security Retrieve current security configuration.
curl
curl https://api.rexec.sh/api/security \
  -H "Authorization: Bearer YOUR_TOKEN"
enabled
boolean
Whether screen lock is enabled
lock_after_minutes
integer
Minutes of inactivity before auto-lock (default: 15)
single_session_mode
boolean
Whether single session mode is enabled
has_passcode
boolean
Whether a passcode is set

Set passcode

POST /api/security/passcode Set or change the screen lock passcode.
new_passcode
string
required
6-digit numeric passcode
current_passcode
string
Required when changing existing passcode
lock_after_minutes
integer
Auto-lock timeout (5-120 minutes)
curl
curl -X POST https://api.rexec.sh/api/security/passcode \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "new_passcode": "123456",
    "lock_after_minutes": 15
  }'
Store your passcode securely. If lost, you must contact support to reset.

Update settings

PATCH /api/security Update auto-lock timeout.
lock_after_minutes
integer
required
Minutes before auto-lock (5-120)
curl
curl -X PATCH https://api.rexec.sh/api/security \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"lock_after_minutes": 30}'

Lock account

POST /api/security/lock Manually lock the account immediately.
curl
curl -X POST https://api.rexec.sh/api/security/lock \
  -H "Authorization: Bearer YOUR_TOKEN"

Unlock account

POST /api/security/unlock Unlock with passcode. Returns a new JWT token.
passcode
string
required
6-digit passcode
curl
curl -X POST https://api.rexec.sh/api/security/unlock \
  -H "Content-Type: application/json" \
  -d '{"passcode": "123456"}'
token
string
New JWT token (previous token is invalidated)
user
object
Updated user object

Remove passcode

DELETE /api/security/passcode Disable screen lock by removing passcode.
current_passcode
string
required
Current passcode to confirm
curl
curl -X DELETE https://api.rexec.sh/api/security/passcode \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"current_passcode": "123456"}'

Single session mode

POST /api/security/single-session Enable or disable single session mode. When enabled, logging in from a new location revokes all other sessions.
enabled
boolean
required
Enable or disable single session mode
curl
curl -X POST https://api.rexec.sh/api/security/single-session \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"enabled": true}'

Terminal MFA lock

Lock individual terminals with MFA protection.

Get terminal MFA status

GET /api/security/terminal/:containerId/mfa-status
curl
curl https://api.rexec.sh/api/security/terminal/cont_123/mfa-status \
  -H "Authorization: Bearer YOUR_TOKEN"
locked
boolean
Whether terminal is MFA-locked
locked_at
string
ISO timestamp when locked

Lock terminal

POST /api/security/terminal/:containerId/mfa-lock Require MFA code to access this terminal.
curl
curl -X POST https://api.rexec.sh/api/security/terminal/cont_123/mfa-lock \
  -H "Authorization: Bearer YOUR_TOKEN"
MFA must be enabled on your account to use terminal locks.

Unlock terminal

POST /api/security/terminal/:containerId/mfa-unlock
code
string
required
6-digit MFA code
curl
curl -X POST https://api.rexec.sh/api/security/terminal/cont_123/mfa-unlock \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"code": "123456"}'

Verify MFA for temporary access

POST /api/security/terminal/:containerId/mfa-verify Verify MFA for temporary access without permanently unlocking.
code
string
required
6-digit MFA code
curl
curl -X POST https://api.rexec.sh/api/security/terminal/cont_123/mfa-verify \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"code": "123456"}'

Error codes

CodeMessageDescription
400Invalid passcode formatPasscode must be 6 digits
401Incorrect passcodeWrong passcode provided
403Account lockedMust unlock before access
404No passcode setCannot unlock without passcode
429Too many attemptsRate limited after failed unlocks

Best practices

  • Set auto-lock for shared workstations (5-15 minutes)
  • Use single session mode for high-security accounts
  • Lock sensitive terminals with MFA
  • Don’t share passcodes—they’re per-user
  • Test unlock before relying on screen lock

Build docs developers (and LLMs) love

Get started for freeTalk to us