BinderHub API authentication

BinderHub has one API call: /build/<provider_prefix>/<spec>. How does authentication work against this call? What is required? Cookies, bearer token, something else?

I’ve setup my BinderHub with authentication enabled but I don’t know how to construct my request for this particular call.

The code for this is in this method. It uses the standard authenticated decorator for tornado.

Not a lot of people use the “authenticated BinderHub setup” (or they do so in private only) so unfortunately there isn’t a lot of documentation around. Reading the code and getting familiar with the tools used is the best bet for answers. After that it would be great if someone could spend time writing up thoughts/tutorials/experience/etc so that people from the future don’t have to go through the same pain.

I digged into the code and found how to authenticate a request to launch a binder, the only problem now is that I don’t know how to to it for a particular user. This is how it is done for the ‘binder’ user (that does not exist in my system):

    url = binder_url + '/build/gh/{repo}/{ref}'.format(repo=repo, ref=ref)

    # This is the 'right' way for authorizing against the BinderHub api by using the JupyterHub API token but you can't do
    # it for a particular user (I think). It's done for the user 'binder' but that one doesn't exist in our system.
    r = requests.get(url, headers={'Authorization': 'token {}'.format(jhub_token)}, stream=True,
                     json={"token": jhub_token})