Authentication
Browser session
Dashboard requests use an HTTP-only session cookie after login to Settings or the setup wizard.
GET /api/v1/me HTTP/1.1
Host: mirror.local:3000
Cookie: m2c2_session=...Bearer token (automation)
Authorization: Bearer m2c2_pat_***Create tokens under Settings → Developer → Personal access tokens.
⚠️ Warning: PATs inherit user permissions. Scope them narrowly and rotate on device rebuild.
Addon signed requests
X-M2C2-Addon: com.example.addon
X-M2C2-Signature: sha256=...Core verifies HMAC with per-addon secrets.
Troubleshooting
401 on local curl
Include -b cookie jar or PAT — LAN clients are not implicitly trusted for admin routes.
Last updated on
Was this helpful?