Developer authentication
Developers authenticate in two ways depending on the interface: CLI and MCP — the CLI uses your GitHub credentials (viagh auth or a personal access token) to obtain an identity token. Every API call includes this token. murmur setup configures this automatically.
Dashboard — the web dashboard uses GitHub OAuth. You click “Log in with GitHub,” authorize the Macroscope GitHub App, and receive a session cookie. The session is encrypted and refreshed automatically.
Tenant membership
Your tenant access is derived from GitHub:- Personal tenants — every authenticated GitHub user has a personal tenant (
github_oauth/{username}). No setup required. - Organization tenants — when your GitHub org installs the Macroscope GitHub App, every org member can access that tenant (
github_app/{org}). Membership is checked against GitHub’s org membership API on every request.
Agent authentication
Agents running on VMs authenticate with identity tokens scoped to a single session. The token is part of the encrypted developer profile — it is decrypted in VM process memory and used for all API calls the agent makes. When the agent stops, the token is destroyed with the process.Service agents
Service agents authenticate with credentials minted from the GitHub App installation token at workflow start time. They operate on behalf of the org, not a specific developer.| Type | Page |
|---|---|
| Concept | Security model |
| Concept | Authorization |
| Concept | Encryption |
| Guide | GitHub personal access tokens |
| Guide | Service profiles |