Skip to content

Security

qbee-connect uses industry-standard security practices to protect your credentials and connections. Understanding the security model helps you use qbee-connect safely and troubleshoot authentication issues.

Authentication

qbee-connect uses OAuth2 for authentication — no passwords are stored or transmitted by the application.

OAuth2 Device Authorization Flow

qbee-connect authenticates using the OAuth2 Device Authorization Flow (designed for applications that cannot easily handle browser redirects):

  1. Device code request — qbee-connect requests a device code and user code from Qbee
  2. Browser authentication — The application displays a URL and user code. You open the URL in your browser, enter the code, and authenticate with your Qbee credentials (including any MFA)
  3. Token polling — qbee-connect polls until authentication completes, then receives access and refresh tokens
  4. Session established — Tokens are stored locally and used for all subsequent API calls

What This Means for Security

  • No passwords in qbee-connect — The application never sees, stores, or transmits your password
  • Browser-based MFA — Multi-factor authentication happens in your browser on Qbee.io
  • Token-based access — Limited-lifetime JWT tokens are used for API authorization
  • Automatic refresh — Access tokens are refreshed automatically using the refresh token

Credential Storage

Credentials are stored locally at:

~/.qbee/qbee-cli.json

This file is shared with qbee-cli — authenticating with either tool updates the same file.

File Permissions

Tip

On Linux/macOS, you can verify the permissions are correct with:

ls -l ~/.qbee/qbee-cli.json

The file should show -rw------- (read/write for owner only).

On Windows, the file is automatically protected by the operating system's user access controls.

Re-authentication

When access tokens expire, qbee-connect automatically presents the login dialog. Complete the OAuth2 browser authentication flow again, and the application resumes with fresh tokens.

No manual intervention is required — qbee-connect detects HTTP 401 responses from the API and prompts for re-authentication automatically.

For authentication management procedures (logging out, forced re-authentication), see Managing qbee-connect → Authentication.

See Also

Intent Document
Log in to qbee-connect Managing the Application → Authentication
Troubleshoot an authentication issue Troubleshooting