Documentation Index
Fetch the complete documentation index at: https://docs.murmur.dev/llms.txt
Use this file to discover all available pages before exploring further.
Murmur uses GitHub as the primary identity provider. All human users authenticate via GitHub, and tenant membership is derived from GitHub organization membership. This page documents every authentication method in the platform.
GitHub OAuth (dashboard)
The dashboard authenticates users with GitHub OAuth 2.0:
- Redirect — clicking “Sign in with GitHub” redirects to GitHub’s OAuth authorization endpoint.
- Authorization — you approve the Macroscope GitHub App’s requested scopes (org membership, repo access).
- Token exchange — the dashboard backend exchanges the authorization code for an access token.
- Session creation — a session cookie is created containing the OAuth tokens, encrypted with ECIES P-256.
- Tenant resolution — your GitHub org memberships are checked to determine which tenants you can access.
Session cookies
- Encryption — ECIES P-256 (Elliptic Curve Integrated Encryption Scheme). The OAuth tokens inside the cookie are encrypted and cannot be read by the browser or intercepted by client-side JavaScript.
- Expiry — 30-day session lifetime.
- Auto-refresh — tokens are refreshed transparently before expiry. You will not be prompted to re-authenticate unless the cookie is cleared or the session exceeds the maximum lifetime.
- Scope — cookies are scoped to the dashboard domain with
HttpOnly, Secure, and SameSite flags.
Identity tokens (CLI and MCP)
The Murmur CLI and MCP server authenticate using identity tokens derived from your GitHub credentials:
# Authenticate the CLI
murmur login
murmur login initiates a GitHub device flow or browser-based OAuth.- Your GitHub token is used to generate a Murmur identity token.
- The identity token is stored locally (typically in your OS keychain or a secured file).
- All subsequent CLI commands include the identity token in gRPC metadata.
Identity tokens encode your GitHub username and org memberships. The API server validates the token on every request and resolves your tenant context.
Token management
# Check current authentication status
murmur auth status
# Re-authenticate (e.g., after token expiry)
murmur login
# View your identity
murmur whoami
Agent authentication
Agent VMs authenticate to the Murmur API using short-lived service tokens issued by the control plane:
- VM boot — the control plane provisions the VM and generates a short-lived token scoped to the agent’s session.
- Token delivery — the token is delivered to the VM through a secure metadata channel.
- API calls — the MCP server on the VM includes this token in all API requests.
- Scope — the token is limited to operations relevant to the agent’s session: status updates, task management, spawning children, and uploading files.
- Expiry — tokens have a short lifetime and are not renewable. When the agent session ends, the token becomes invalid.
Agent tokens cannot:
- Access other tenants
- Modify catalog resources outside their scope
- Access secrets not assigned to their workspace
- Impersonate other users
Token refresh
For long-running agent sessions, the control plane can rekey the agent’s credentials via the Rekey RPC. This issues fresh tokens without interrupting the agent’s work.
GitHub App authentication
The Macroscope GitHub App authenticates to GitHub for repository operations:
| Operation | Authentication method |
|---|
| Cloning repositories | Installation access token |
| Creating pull requests | Installation access token |
| Posting PR comments | Installation access token |
| Reading CI check results | Installation access token |
| Webhook delivery | HMAC signature verification |
Installation tokens
- Scope — each installation token is scoped to the repositories where the GitHub App is installed.
- Lifetime — tokens are short-lived (1 hour) and requested on demand.
- Rotation — the platform requests fresh tokens as needed; no long-lived tokens are stored.
The GitHub App’s private key is stored in the control plane and never exposed to agent VMs. Agents receive a GH_TOKEN environment variable containing a scoped installation token for their configured repositories.
Event pipeline authentication
GitHub Actions and other CI systems authenticate to the Murmur event pipeline using OIDC + Workload Identity Federation (WIF):
- OIDC token — GitHub Actions generates an OIDC token for the workflow run.
- WIF exchange — the OIDC token is exchanged for a Google Cloud access token via Workload Identity Federation.
- Event submission — the access token authenticates the event submission to the Murmur event bus.
This approach has significant security advantages:
- No stored secrets — no Murmur API keys or service account keys are stored in GitHub repository secrets.
- Short-lived — OIDC tokens are valid only for the duration of the workflow run.
- Auditable — every event submission is tied to a specific GitHub Actions workflow run.
Setting up event authentication
Event pipeline authentication is configured automatically when you run:
This sets up the GitHub Actions workflow that forwards events (CI results, PR comments) to your Murmur agents.
Session management
Dashboard sessions
| Property | Value |
|---|
| Storage | Encrypted cookie (ECIES P-256) |
| Lifetime | 30 days |
| Refresh | Automatic, transparent |
| Revocation | Clear browser cookies or sign out |
| Multi-tenant | Switch tenants via the dashboard header |
CLI sessions
| Property | Value |
|---|
| Storage | OS keychain or local token file |
| Lifetime | Based on GitHub token expiry |
| Refresh | Re-run murmur login |
| Multi-tenant | Determined by org membership |
Agent sessions
| Property | Value |
|---|
| Storage | In-memory only (never persisted to disk) |
| Lifetime | Duration of the agent’s session |
| Refresh | Via Rekey RPC from control plane |
| Scope | Limited to the agent’s own session operations |
