CmdCal

Authentication

CmdCal uses two authentication layers: session-based auth for the dashboard and API key auth for programmatic access. Both are scoped to your organization.

Sign-up and Login

Create an account or sign in at paperjsx.com/login. Two methods are available:

  • Google OAuth -- click "Continue with Google" to authenticate via your Google account.
  • Magic link -- enter your email address to receive a one-time sign-in link. No password is required.
GitHub OAuth is configured as a provider but is not currently exposed in the login UI. Google and magic link are the active sign-in methods.

After signing in, you are redirected to /dashboard. A Supabase session cookie is set and used for all subsequent dashboard requests.

API Key Authentication

For programmatic access to the V2 runtime endpoints (/api/v2/render, /api/v2/preflight, /api/v2/jobs), authenticate with an API key. Keys use the pj_live_ prefix.

Two header formats are supported:

Terminal
# Bearer token (recommended)
Authorization: Bearer pj_live_YOUR_KEY

# x-api-key header
x-api-key: pj_live_YOUR_KEY

Create and manage keys from /dashboard/api-keys. See API Keys for details.

Session vs. API Key

AspectSession (cookie)API Key
Used byDashboard UIExternal services, CI/CD, SDKs
IdentityUser (email + OAuth)Organization-level
PermissionsRole-based (owner/admin/member)Full org access
RevocationSign out or session expiryRevoke from dashboard
Rate limitingStandardPlan-based usage limits

The V2 runtime endpoints accept both authentication types. Dashboard management endpoints (settings, key creation, usage) require a session.

Service Accounts for CI/CD

There is no dedicated service account type. For CI/CD pipelines, create a named API key (e.g. "GitHub Actions") and store it as a secret in your CI environment. The key authenticates directly against the runtime -- no OAuth flow is needed.

YAML
# GitHub Actions example
env:
  PAPERJSX_API_KEY: ${{ secrets.PAPERJSX_API_KEY }}

Session Management

Sessions are managed by Supabase Auth. Key behaviors:

  • Sessions persist across browser restarts via secure HTTP-only cookies.
  • Signing out clears the session and redirects to /login.
  • The dashboard shell sets Sentry user context and tracks page views per session.

SSO

SAML/SSO is available on the Business plan. Contact support to configure SSO for your organization.

Next Steps

  • API Keys -- create and manage API keys
  • Access -- role-based permissions within your organization
  • Automation -- use API keys in CI/CD pipelines