Magg Authentication Guide
June 25, 2025 ยท View on GitHub
This guide covers how to set up and use bearer token authentication in Magg.
Overview
Magg uses RSA keypair-based bearer token authentication with JWT tokens. When enabled, all clients must provide a valid JWT token to access the server. Authentication is optional - if no keys exist, the server runs without authentication.
Quick Start
1. Initialize Authentication
Generate RSA keypair (one-time setup):
magg auth init
This creates:
- Private key:
~/.ssh/magg/magg.key - Public key:
~/.ssh/magg/magg.key.pub
2. Generate JWT Token
# Display token on screen
magg auth token
# Export to environment variable
export MAGG_JWT=$(magg auth token -q)
3. Connect with Authentication
Using MaggClient (recommended):
from magg.client import MaggClient
# Automatically uses MAGG_JWT environment variable
async with MaggClient("http://localhost:8000/mcp") as client:
tools = await client.list_tools()
Detailed Setup
Custom Configuration
Initialize with custom parameters:
# Custom audience and issuer
magg auth init --audience myapp --issuer https://mycompany.com
# Custom key location
magg auth init --key-path /opt/magg/keys
Token Generation Options
Generate tokens with specific parameters:
# Custom subject and expiration
magg auth token --subject "my-service" --hours 168
# Include scopes (informational only, not enforced)
magg auth token --scopes "read" "write" "admin"
# Export format for shell scripts
magg auth token --export
# Output: export MAGG_JWT="eyJ..."
Key Management
Display keys for backup or verification:
# Show public key (safe to share)
magg auth public-key
# Show private key (keep secret!)
magg auth private-key
# Export private key in single-line format for env vars
magg auth private-key --oneline
Environment Variables
Server Configuration
MAGG_PRIVATE_KEY: Private key content (takes precedence over file)export MAGG_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----\nMIIE..."
Client Configuration
MAGG_JWT: JWT token for client authenticationexport MAGG_JWT="eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
Configuration Files
Auth Configuration (.magg/auth.json)
{
"bearer": {
"issuer": "https://magg.local",
"audience": "myapp",
"key_path": "/custom/path/to/keys"
}
}
Key File Locations
Default locations:
- Private key:
{key_path}/{audience}.key - Public key:
{key_path}/{audience}.key.pub
Example with custom audience "prod":
/home/user/.ssh/magg/prod.key/home/user/.ssh/magg/prod.key.pub
Client Examples
Python with MaggClient
import os
from magg.client import MaggClient
# Method 1: Auto-load from environment
os.environ['MAGG_JWT'] = 'your-jwt-token'
async with MaggClient("http://localhost:8000/mcp") as client:
tools = await client.list_tools()
# Method 2: Explicit token
from fastmcp.client import BearerAuth
auth = BearerAuth('your-jwt-token')
async with MaggClient("http://localhost:8000/mcp", auth=auth) as client:
tools = await client.list_tools()
# Method 3: Transparent proxy mode (no prefixes)
async with MaggClient("http://localhost:8000/mcp", transparent=True) as client:
# Call tools without prefixes
result = await client.call_tool("add", {"a": 5, "b": 3})
# Instead of: client.call_tool("calc_add", {"a": 5, "b": 3})
Using with curl
# Get JWT token
JWT=$(magg auth token -q)
# Make authenticated request
curl -H "Authorization: Bearer $JWT" http://localhost:8000/mcp/
Disabling Authentication
To run Magg without authentication:
Option 1: Don't Generate Keys
Simply don't run magg auth init. No keys = no auth.
Option 2: Remove Existing Keys
rm ~/.ssh/magg/magg.key*
Option 3: Configure Non-Existent Path
Edit .magg/auth.json:
{
"bearer": {
"key_path": "/path/that/does/not/exist"
}
}
Security Best Practices
-
Protect Private Keys
- Files are created with 0600 permissions (owner read/write only)
- Never commit private keys to version control
- Use
.gitignoreto exclude.magg/directory
-
Token Management
- Use short expiration times for development (default: 24 hours)
- Longer expiration for production services
- Rotate tokens regularly
-
Production Deployment
- Use environment variables for keys and tokens
- Consider using a secrets management service
- Enable HTTPS for transport security
-
Multiple Environments
- Use different audiences for dev/staging/prod
- Separate key pairs per environment
- Example:
magg auth init --audience prod
Troubleshooting
Check Authentication Status
magg auth status
Output shows:
- Current configuration
- Key file locations
- Whether keys exist
Common Issues
-
"Authentication is not enabled"
- No private key found
- Run
magg auth initor checkMAGG_PRIVATE_KEY
-
"Invalid token"
- Token expired (check with jwt.io)
- Wrong audience or issuer
- Using token from different key pair
-
"Permission denied" when reading key
- Check file permissions:
ls -la ~/.ssh/magg/ - Should be 0600 for private key
- Check file permissions:
Advanced Usage
Custom Token Claims
While Magg doesn't enforce scopes, you can include them for client-side logic:
magg auth token --scopes "projects:read" "servers:write"
Token Introspection
Decode a token to see its claims:
# Using Python
python -c "import jwt; print(jwt.decode('$MAGG_JWT', options={'verify_signature': False}))"
Integration with CI/CD
Generate long-lived tokens for automated systems:
# 30-day token for CI
magg auth token --subject "github-actions" --hours 720 --quiet