Authentication & Access Control

Authentication verifies identities and controls access to the platform, covering user logins, API credentials, token rotation, and revocation to keep customer data secure.

What Is This Feature?

Authentication is the process of verifying that someone is who they say they are before granting access to the platform. It covers everything from a user logging in on their laptop to a server-side integration authenticating with an API key. This deep dive explains how the platform handles authentication securely — including how access tokens work, how they're kept short-lived to limit risk, how they can be revoked instantly in an emergency, and how the underlying security keys are rotated safely over time.

Why It Matters to Your Business

Authentication is one of the most critical pieces of any software platform. A failure here — a leaked token, a compromised credential, an unrevokable session — can mean unauthorized access to your customers' data. Getting this right is fundamental to the security promises you make to customers.

Enterprise requirements. Large customers will ask detailed questions about authentication in security reviews. A well-designed auth system — short-lived tokens, rotation, audit trails — directly addresses the most common concerns.
Fast incident response. If a token is compromised, you need to be able to invalidate it immediately — not wait for it to expire naturally. The revocation system makes this instant.
Support for multiple authentication methods. Human users log in with passwords or SSO; machine integrations use API keys. Both paths are first-class citizens, with appropriate security controls for each.
Auditability. Every login, token refresh, and revocation is logged. If something suspicious happens, your security team has the data they need to investigate.

How It Works (No Technical Jargon)

A user logs in — with an email/password or through a Single Sign-On (SSO) provider (like Google Workspace or Okta).
The platform issues two tokens: a short-lived access token (typically valid for 15–60 minutes) and a longer-lived refresh token.
The access token is used to authenticate every API request. Because it's short-lived, a leaked access token is only useful for a limited window.
When the access token expires, the app automatically uses the refresh token to get a new one — seamlessly, without the user having to log in again.
When the user logs out (or their refresh token is revoked), all new token requests are rejected immediately.

Server-to-server integrations use client credentials — a client ID and secret. These work similarly to a username and password but are designed for programmatic use. Every token issued to a machine client is logged with the integration's identity and the IP address it came from.

The platform maintains a revocation list — a fast, real-time record of tokens that have been explicitly invalidated. Every token validation checks this list. If a token is on the list, it's rejected immediately, regardless of whether it would otherwise still be valid. This means:
- A compromised session can be terminated instantly by an administrator
- A departing employee's access is cut off the moment their account is deactivated
- An integration that's been compromised can be disabled immediately

Security Keys and Rotation

The platform uses cryptographic keys to sign tokens — a way of mathematically proving that a token was issued by the platform and hasn't been tampered with. These keys need to be rotated periodically (replaced with new ones) as a security best practice.

Key rotation is handled carefully to avoid disrupting active sessions:
- New keys are published before old ones expire
- Tokens signed with old keys continue to work during a transition window
- Once the transition is complete, old keys are retired
- Key rotation events are logged and can trigger alerts

What You Can See and Control

From the admin dashboard:
- Active sessions per user — and the ability to terminate any of them
- A log of recent authentication events: logins, token refreshes, failed attempts, revocations
- Alerts for suspicious activity (e.g., the same account logging in from two different countries in quick succession)

What to Expect on the Roadmap

The team is building:

A Redis-backed revocation list for instant token invalidation (estimated 2 weeks)
Automated tests for key rotation scenarios, running in CI on every code change (estimated 1 week)

These improvements will harden the authentication layer significantly and give you verifiable, testable proof of the security controls you're promising to customers.