You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Added
OAuth refresh tokens — no more hourly re-login on the self-hosted server. The token
endpoint now issues a refresh_token and supports the refresh_token grant (RFC 6749 §6),
so a connected client (claude.ai) silently renews the short-lived access token instead of
redoing the full login every hour. Refresh tokens rotate on each use with reuse
detection (replaying a rotated/stolen token revokes the whole family), are stored hashed,
never in plaintext, and are revocable. Access tokens stay short-lived (1h). Both lifetimes are
now env-configurable (AGAMI_ACCESS_TOKEN_TTL / AGAMI_REFRESH_TOKEN_TTL, seconds) with the
same defaults when unset (access 1h, refresh 30-day idle). No action needed on upgrade — the
new oauth_refresh_token table migrates in automatically on boot.