Users and Roles
Users are defined in a JSON file (default:~/.vigolium/users.json). On first run, the file is auto-created from the embedded template with randomly generated access codes (prefixed vgl_).
Three roles control API access:
| Role | Description |
|---|---|
admin | Full access — can delete resources, update config, manage projects |
operator | Can run scans, ingest traffic, and execute agent operations |
viewer | Read-only access to records, findings, stats, and scan history |
| Name | Role |
|---|---|
vigolium-admin | admin |
vigolium-operator | operator |
vigolium-analyst | viewer |
vigolium-auditor | viewer |
Login
Exchange a username and access code for user info and a Bearer token.POST /api/auth/login
This endpoint is publicly accessible (no authentication required).
Request body:
| Status | Condition | Body |
|---|---|---|
| 400 | Missing or malformed request body | {"error": "username and access_code are required", "code": 400} |
| 401 | Invalid username or access code | {"error": "invalid username or access code", "code": 401} |
Current User Info
Retrieve the authenticated user’s identity and role.GET /api/user/info
Requires a valid Bearer token.
Success response (200):
| Status | Condition | Body |
|---|---|---|
| 401 | Missing or invalid token | {"error": "invalid Bearer token", "code": 401} |
Using the Token
Include the token as a Bearer token in theAuthorization header for all subsequent API requests:
Disabling Authentication
Setno_auth: true in vigolium-configs.yaml or pass the --no-auth flag to the server command to disable authentication entirely. This is not recommended for production use.