serve binds 127.0.0.1 by default and refuses a non-loopback --bind unless
authentication is configured. Set a bearer token with --token /
RUNEWARD_API_TOKEN, or point RUNEWARD_AUTHZ_FILE at a JSON store of named
principals (each with its own token, an allowed-profile glob list, and
approval/admin flags) for multi-principal RBAC. When set, the token is required
on every request except /healthz and the static dashboard shell — pass it as
Authorization: Bearer <token>, an X-Runeward-Token header, or a ?token=
query param (the last is required for the terminal WebSocket). Optional TLS via
--tls-cert/--tls-key; request bodies are capped at 16 MiB. See the
Security model.
Under RBAC, a non-admin principal sees and can act on only the sandboxes it
created; admins see all.
AUTH=(-H"Authorization: Bearer $RUNEWARD_API_TOKEN")# omit when serving without a token: AUTH=()SB=$(curl-s"${AUTH[@]}"-XPOSTlocalhost:8080/v1/sandboxes-d'{"profile":"ns-auto"}'|jq-r.id)curl-s"${AUTH[@]}"-XPOST"localhost:8080/v1/sandboxes/$SB/shell/exec"-d'{"command":["echo","hi"]}'curl-s"${AUTH[@]}"-XPOST"localhost:8080/v1/sandboxes/$SB/usage"-d'{"tokens":1200,"cost_usd":0.03}'curl-s"${AUTH[@]}""localhost:8080/v1/audit/verify"curl-s"${AUTH[@]}"-XDELETE"localhost:8080/v1/sandboxes/$SB"