Authentication

​

Exchange Token

​

Endpoint

POST https://api.mentra.glass/api/auth/exchange-token

​

Request Body

{
  "supabaseToken": "eyJhbGciOiJIUzI1NiIs..."
}

​

Response

{
  "coreToken": "eyJhbGciOiJIUzI1NiIs..."
}

{
  "error": "No token provided"  // or "Invalid token"
}

​

Implementation

• File: packages/cloud/src/routes/auth.routes.ts:19-51
• Verification: Uses SUPABASE_JWT_SECRET environment variable
• Token Generation: Signs with AUGMENTOS_AUTH_JWT_SECRET
• Token Expiry: No explicit expiry set on core token

​

Core Token Structure

• sub: User ID from Supabase
• email: User’s email address
• organizations: Array of user’s organizations
• defaultOrg: User’s default organization

​

Generate Webview Token

​

Endpoint

POST https://api.mentra.glass/api/auth/generate-webview-token

​

Headers

Authorization: Bearer <coreToken>

​

Request Body

{
  "packageName": "com.example.app"
}

​

Response

{
  "success": true,
  "token": "temp_token_abc123..."
}

​

Implementation

• File: packages/cloud/src/routes/auth.routes.ts:54-69
• Middleware: validateCoreToken - Validates the core JWT token
• Service: Uses tokenService.generateTemporaryToken()

​

Exchange User Token

​

Endpoint

POST https://api.mentra.glass/api/auth/exchange-user-token

​

Headers

Authorization: Bearer <appApiKey>

​

Request Body

{
  "aos_temp_token": "temp_token_abc123...",
  "packageName": "com.example.app"
}

​

Response

{
  "success": true,
  "userId": "user@example.com"
}

{
  "success": false,
  "error": "Invalid or expired token"
}

​

Implementation

• File: packages/cloud/src/routes/auth.routes.ts:72-93
• Middleware: validateAppApiKey - Validates app API key
• Service: Uses tokenService.exchangeTemporaryToken()

​

Exchange Store Token

​

Endpoint

POST https://api.mentra.glass/api/auth/exchange-store-token

​

Request Body

{
  "aos_temp_token": "temp_token_abc123...",
  "packageName": "org.augmentos.store"
}

​

Response

{
  "success": true,
  "userId": "user@example.com",
  "tokens": {
    "supabaseToken": "eyJhbGciOiJIUzI1NiIs...",
    "coreToken": "eyJhbGciOiJIUzI1NiIs..."
  }
}

​

Implementation

• File: packages/cloud/src/routes/auth.routes.ts:96-145
• Validation: Only accepts packageName: "org.augmentos.store"
• Returns: Both Supabase and core tokens for full authentication

​

Hash with API Key

​

Endpoint

POST https://api.mentra.glass/api/auth/hash-with-api-key

​

Headers

Authorization: Bearer <coreToken>

​

Request Body

{
  "stringToHash": "data_to_hash",
  "packageName": "com.example.app"
}

​

Response

{
  "success": true,
  "hash": "sha256_hash_result..."
}

​

Implementation

• File: packages/cloud/src/routes/auth.routes.ts:148-162
• Service: Uses appService.hashWithApiKey()
• Purpose: Allows apps to verify data integrity

​

Generate Signed User Token

​

Endpoint

POST https://api.mentra.glass/api/auth/generate-webview-signed-user-token

​

Headers

Authorization: Bearer <coreToken>

​

Request Body

{
  "packageName": "com.example.app"
}

​

Response

{
  "success": true,
  "token": "eyJhbGciOiJSUzI1NiIs...",
  "expiresIn": "10m"
}

​

Implementation

• File: packages/cloud/src/routes/auth.routes.ts:176-199
• Service: Uses tokenService.issueUserToken()
• Signing: Uses RSA private key for client-side verification
• Expiration: 10 minutes

​

Error Codes

​

Security Notes

1. All tokens should be transmitted over HTTPS
2. Core tokens expire after a configured duration
3. Temporary tokens are single-use and expire quickly
4. API keys must be kept secret and never exposed client-side