# Wiki.js API Authentication & Security Strategy

## 1. Authentication Method
- **Token Type:** Permanent API Keys (Bearer Tokens)
- **Generation:** Generated via the Wiki.js Administration Area -> API Keys
- **Storage:** Stored as environment variables in the agent runtime environment (e.g., `WIKIJS_API_TOKEN`).

## 2. Permission Scopes
To maintain security, the API token used by agents will be restricted to the minimum necessary scopes:

| Scope | Requirement | Justification |
|-------|-------------|---------------|
| `write:pages` | Mandatory | Allows agents to create and update content |
| `read:pages` | Mandatory | Allows agents to check existing content before updates |
| `write:assets` | Mandatory | Allows Agent G to upload images/files |
| `read:assets` | Mandatory | Allows checking for existing assets |
| `read:tags` | Optional | Allows metadata tagging |
| `manage:system` | **Prohibited** | Agents must NOT have administrative system access |

## 3. Token Rotation Policy
- **Frequency:** Tokens should be rotated every 90 days.
- **Process:**
  1. Generate new token in Wiki.js.
  2. Update environment variable in agent deployment (Komodo/Docker).
  3. Verify connectivity.
  4. Revoke old token.

## 4. Write Access Control
- **Human Editing:** All human accounts in Wiki.js will be assigned to a "Read-Only" group.
- **Agent Editing:** Only the API account (associated with the token) will have write permissions.
- **Emergency Bypass:** A single "Admin" account will be maintained for emergency manual intervention, protected by 2FA.

## 5. Security Best Practices
- **TLS:** All API calls MUST be made over HTTPS.
- **IP Whitelisting:** If possible, Wiki.js should be configured to only accept API requests from the IP of the agent runner.
- **Audit Logs:** Enable Wiki.js audit logging to track all changes made via the API token.