Token Management
Sidemesh uses a single shared bearer token for daemon-client authentication. This page explains how it works, how to rotate it, and the current limitations.
Token lifecycle
Section titled “Token lifecycle”sidemesh uporsidemesh setupgenerates a random token and writes it to~/.sidemesh/config.json- The daemon validates the
Authorization: Bearer <token>header on every request - The mobile app stores the token in platform secure storage (iOS Keychain, Android Keystore, macOS Keychain)
- The QR code printed by
sidemesh paircontains the base URL and token
Rotating a token
Section titled “Rotating a token”If a device is lost or you want to revoke access:
- Edit
~/.sidemesh/config.jsonand change thetokenfield - Restart the daemon:
sidemesh restart --yes - Re-pair all trusted devices with the new token
There is no per-device revocation yet. Rotating the token invalidates all existing clients.
Secure storage
Section titled “Secure storage”| Platform | Storage |
|---|---|
| iOS | Keychain |
| Android | Keystore |
| macOS | Keychain |
Token environment
Section titled “Token environment”The daemon deletes SIDEMESH_TOKEN from the environment before spawning shells or child processes. This prevents subprocesses from extracting the bearer token.
Future improvements
Section titled “Future improvements”- Per-device tokens with granular revocation
- Token expiry and refresh
- OAuth or SSO integration for enterprise deployments