A standalone authentication service for Legion integrations on edge devices, development machines, and other systems. This service handles OAuth2 authentication, token lifecycle management (automatic refreshes), and terminal entity registration.
For comprehensive API details, please refer to the Legion API Documentation.
- OAuth2 PKCE Flow: Secure authentication without hardcoded credentials.
- Automatic Token Management: Monitors and refreshes access tokens automatically.
- Headless Support: Supports authentication flows on headless devices via local callbacks.
- Service Integration: Built-in support for installing as a system service:
- Linux: Systemd
- macOS: Launchd
Install the latest release with a single command:
curl -fsSL https://raw.githubusercontent.com/picogrid/legion-system-auth/main/install.sh | bashThe script will automatically detect your platform and prompt for sudo if needed.
- Go 1.23 or later
- Make
-
Clone the repository:
git clone https://github.com/picogrid/legion-system-auth.git cd legion-system-auth -
Build the binary:
make build
-
Install globally (optional):
sudo make install
This installs
legion-authto/usr/local/bin.
Run the interactive setup wizard to authenticate and configure the integration.
legion-auth setupOptions:
--create-entity: Prompts to create a Terminal entity in Legion during setup.--storage-path <dir>: Custom directory to store tokens and config (Default:/etc/picogrid/auth).
Example:
legion-auth setup --create-entityTo ensure the token monitor runs automatically and keeps credentials fresh, you can install as either a user-level or system-level service:
Runs as your user account and starts automatically on login:
legion-auth install-service --userBenefits:
- No sudo required
- Runs with your user permissions
- Starts automatically when you log in
- Stores credentials in your home directory
Runs at system startup with specified user permissions:
sudo legion-auth install-serviceThis will:
- Generate the appropriate service file (
systemdunit orlaunchdplist) - Enable the service to start at boot
- Start the service immediately
Custom options:
--service-userUser to run service as (Linux system-level only, default: "pg" if exists, otherwise "root")--service-groupGroup to run service as (Linux system-level only, default: primary group of service user)
# Custom storage path
legion-auth install-service --user --storage-path ~/.config/legion-auth
# System-level with specific user (Linux only)
sudo legion-auth install-service --service-user myuser
# System-level with specific user and group (Linux only)
sudo legion-auth install-service --service-user myuser --service-group mygroupTo remove an installed service:
# Uninstall user-level service
legion-auth uninstall-service --user
# Uninstall system-level service (requires sudo)
sudo legion-auth uninstall-serviceThis will:
- Stop the running service
- Disable it from starting automatically
- Remove the service configuration file
You can run the monitor process manually (foreground):
legion-authThe service stores its data in /etc/picogrid/auth by default.
oauth_config.json: Integration settings.access_token.json: Current active tokens.refresh_token.json: Long-lived refresh token.terminal_entity.json: Device metadata (if entity creation was used).
All release binaries include SHA256 checksum files (.sha256) for integrity verification.
# Download binary and checksum
curl -LO https://github.com/picogrid/legion-system-auth/releases/latest/download/legion-auth-linux-amd64
curl -LO https://github.com/picogrid/legion-system-auth/releases/latest/download/legion-auth-linux-amd64.sha256
# Verify
sha256sum -c legion-auth-linux-amd64.sha256The install script automatically verifies checksums when available.
- Build:
make build- Build the binary with version info - Clean:
make clean- Remove build artifacts
- Test:
make test- Run tests with race detection and coverage - Lint:
make lint- Run golangci-lint - Security:
make security- Run gosec security scanner - Check All:
make check- Run all checks (fmt, vet, lint, security, test)
- Install:
make install- Install binary to /usr/local/bin - Install Service:
sudo make install-service- Install as system service
- Help:
make help- Show all available make targets