Skip to content

[FEATURE]: Ephemeral Server Authentication Zero/Low Trust State for LLM providers #17220

New issue
New issue
Open
Open
[FEATURE]: Ephemeral Server Authentication Zero/Low Trust State for LLM providers#17220
Assignees
rekram1-node
Labels
coreAnything pertaining to core functionality of the application (opencode server stuff)discussionUsed for feature requests, proposals, ideas, etc. Open discussion
@sdre15

Description

@sdre15
sdre15
opened on Mar 12, 2026

Feature hasn't been suggested before.

  • I have verified this feature I'm about to request hasn't been suggested before.

Describe the enhancement you want to request

Feature Description:
Add ephermal server authentication state for different LLM provider which allows the user to use their client share directory auth.json credentials to login on the server side without having to permenantly store the auth.json on the server side. We are treating the client almost like an id badge for authentication against the servers, as opposed to storing the id badge on the server side and assuming that any client with machine user account access has access to the id badge for LLM provider access.

Feature Benefits:
Instead of having mulitple oauth token stored on different server virtual machine, you can have all the tokens stored on your client like you laptop or smartphone. Let's say you are sharing a VM with some people to do some AI Lab training with mulitple user on the same Linux user account. If you sign on the LLM provider on the server-side and you leave the machine overnight, another user can use your credential to impersonate your copilot, claude, and etc account. With this client side ephemeral authentication system, if you disconnect your client then other people can no longer use your login tokens to spoof your account. This works well if your organization uses a bastion server to identify organization users, but the endpoint server user account is used by mulitple users.

Feature Implementation Suggestion:
Create a auth-server-{server_uuid}.json which includes the server information and the authentication token generated that is stored on the client side like your laptop or phone. Mount the auth-server.json into the server with sshfs or another file mounting program when the user logins using opencode attach http://{server-ip}:{server-port} --forward-auth. If the user decides to disconnect, unmount the auth file on the server side to prevent other users from using your credential on the same Linux user account.

Another possible implemetnation is building a session manager directly into opencode. And having that manage the client-server authentication ephermeral storage. Maybe, something similar to AWS STS service.

Potential Stakeholders:
AI training clusters
shared GPU servers
bastion-host workflows
small & startup research labs

Security Frameworks:
https://www.microsoft.com/en-us/security/business/security-101/what-is-zero-trust-architecture
https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.SP.800-207.pdf

Metadata

Metadata

Assignees

Labels

coreAnything pertaining to core functionality of the application (opencode server stuff)discussionUsed for feature requests, proposals, ideas, etc. Open discussion

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions