Authentication
Pulse supports two authentication methods: session-based auth for the web app and API key auth for programmatic access.
Session Authentication
The web app uses Auth.js v5 with two passwordless providers:
- Google OAuth — Sign in with your Google account
- Email (Resend) — Receive a magic link via email
No passwords are stored. Sessions are managed via database-backed session tokens.
API Key Authentication
For programmatic access (MCP server, scripts, integrations), use API keys.
Creating an API Key
- Go to Settings → API Keys in the Pulse web app
- Click Generate Key
- Copy the key immediately — it won't be shown again
API keys have the prefix pgtd_ followed by a random string.
Using an API Key
Include the key as a Bearer token in the Authorization header:
Authorization: Bearer pgtd_your_api_key_here
Example Request
curl https://pulsegtd.app/api/v1/tasks \
-H "Authorization: Bearer pgtd_abc123def456" \
-H "Content-Type: application/json"
Key Management
| Endpoint | Method | Description |
|---|---|---|
/api/v1/api-keys | GET | List all your API keys |
/api/v1/api-keys | POST | Generate a new API key |
/api/v1/api-keys/:id | DELETE | Revoke an API key |
Keys are stored as SHA-256 hashes — Pulse never stores the raw key. The keyPrefix (first 8 characters) is stored for identification.
Error Responses
Unauthenticated requests receive a 401 Unauthorized response:
{
"error": "Unauthorized"
}
Security Notes
- API keys grant full access to your account — treat them like passwords
- Rotate keys regularly via the Settings page
- Keys can be revoked instantly if compromised
- The
lastUsedAtfield tracks when each key was last used
When to Use Which
Use session auth for browser-based access (the web app handles this automatically). Use API key auth for scripts, the MCP server, and any programmatic integration.