Module auth 

Credential storage — ~/.cinch/config.json (0600 permissions).

This module is the source of truth for the disk credential format used by both CLI and desktop. The Go CLI’s cinch/cmd/internal/credstore/store.go uses identical service/account conventions; do not change SERVICE_NAME or the account key format without coordinated updates on both sides.

Structs

DeviceCodeMarker

PairingCompleteMarker

Enums

CredentialError

Constants

DEVICE_CODE_MARKER_END

DEVICE_CODE_MARKER_START

stdout marker emitted by cinch auth login --headless so the orchestrating side (e.g. cinch pair running over SSH) can pick up the device-code URL without parsing free-form output.

LEGACY_SERVICE_NAME

Legacy Keychain service name used by builds prior to 2026-04-29. The credstore reads this as a fallback and migrates entries forward on first successful read.

PAIRING_COMPLETE_MARKER_END

PAIRING_COMPLETE_MARKER_START

stdout marker emitted by the SSH pair script when the remote machine has either reused an existing matching pairing or completed a fresh device-code login. The orchestrating desktop uses this marker to verify that the remote’s user_id matches the local active profile — without it, an exit-0 SSH session can falsely look successful when the remote was already signed in as a different user (or cinch auth login short-circuited before emitting any pairing evidence).

SERVICE_NAME

Functions

add_relay_profile

Add a new RelayProfile to MultiConfig for a freshly-authenticated relay. Used by the deep-link callback when PendingRelayAdd is set. Returns relay_id.

format_device_code_marker

load_config

load_multi_config

parse_device_code_marker

parse_pairing_complete_marker

poll_key_bundle

Poll GET /auth/key-bundle for up to 30s waiting for a key-bearer device to publish our encrypted user-key bundle. Returns true if a bundle arrived and the decrypted master key was persisted via credstore::write_encryption_key; returns false on timeout or any decode failure (with a single line printed to stderr per observed failure mode, mirroring the original CLI behavior).

read_credentials

read_credentials returns the token for the currently-configured (user_id, device_id).

read_encryption_key

Read the encryption key for a user from config.

rotate_credentials

rotate_credentials persists a new token after a WS token_rotated event.

save_config_to_disk

save_multi_config

wipe_credentials

wipe_credentials clears all credential fields from config, bumps credential_version, and best-effort deletes any Keychain entries left over from pre-2026-05-08 CLI builds.

wipe_relay_credentials

Remove credentials for a specific relay from MultiConfig.

write_credentials

write_credentials stores token in config.json (0600). Bumps credential_version and persists via save_config.

write_encryption_key

Write the encryption key for a user to config.