401 and 403 responses.
Session Cookie Authentication
Session cookies are the standard authentication path for the ThreatLab web UI and any browser-based caller. Used by: the ThreatLab web UI and any browser-based caller. How it works: sign in at/login. Once authenticated, the browser automatically attaches the session cookie to every subsequent request. You do not need to set any header manually in browser environments.
Required Capabilities per Route
Not every authenticated user can reach every endpoint. ThreatLab’s capability-based authorization model gates destructive routes behind named capabilities.| Route | Required Capability |
|---|---|
POST /api/sessions/start | manage_exercises |
DELETE /api/sessions | manage_exercises |
POST /api/noise/run | manage_noise_logs |
GET /api/platform-status/events | Any authenticated user |
Your effective capability set is the union of all permission-role
permissions arrays assigned to your account. Contact your ThreatLab administrator if you receive a 403 on a route you expect to access.401. Authenticated requests that lack the required capability receive 403.
Bearer Token Authentication
Bearer token authentication is reserved exclusively forPOST /api/noise/run — the automated noise dispatch endpoint invoked by pg_cron or external scripts.
Used by: pg_cron scheduled jobs and automation scripts calling POST /api/noise/run only.
How to pass the token:
Bearer token authentication is accepted only on
POST /api/noise/run. Passing a Bearer token to any other endpoint will result in a 401 — those routes require a valid session cookie.Unauthenticated Endpoints
GET /api/health requires no authentication and is intentionally open for load balancer probes and uptime monitors. You can call it without any credentials.