Security and Access
Security is split by boundary: dashboard session auth, API-token auth for automation, and internal bearer-token controls for runtime/control-plane traffic.
Step-by-Step Guide
1.Dashboard session access
User-facing app actions run under Better Auth sessions and active organization membership checks.
- Server-side guards enforce session + org access before data operations.
- Middleware is an entry gate; core authorization is validated in server handlers/actions.
2.API tokens for CLI and MCP
API tokens are bearer credentials with org/user association and expiry support.
- Token format is validated before auth lookup.
- Stored tokens are hashed (Argon2id) and compared securely.
- Successful auth updates token
lastUsedAtfor audit visibility.
3.Internal runtime trust boundary
Runtime callbacks and internal control routes are protected by internal bearer tokens and execution token checks.
- Internal endpoints require configured shared env secrets.
- Execution callback tokens are HMAC-signed and validated with expiration and active execution checks.
4.MCP controls
MCP endpoint enforces bearer auth and request controls suitable for tool-call automation.
- Origin allowlisting is enforced only when
MCP_ALLOWED_ORIGINSis configured. - Rate limit is enforced per token id.
- MCP tool calls are audited for request/response visibility.