We're still building things here! Help us improve by reporting bugs here.
Sign in

Authentication & Access Control

Authentication verifies identities and controls access to the platform, covering user logins, API credentials, token rotation, and revocation to keep customer data secure.

What Is This Feature?

Authentication is the process of verifying that someone is who they say they are before granting access to the platform. It covers everything from a user logging in on their laptop to a server-side integration authenticating with an API key. This deep dive explains how the platform handles authentication securely — including how access tokens work, how they're kept short-lived to limit risk, how they can be revoked instantly in an emergency, and how the underlying security keys are rotated safely over time.

Why It Matters to Your Business

Authentication is one of the most critical pieces of any software platform. A failure here — a leaked token, a compromised credential, an unrevokable session — can mean unauthorized access to your customers' data. Getting this right is fundamental to the security promises you make to customers.

  • Enterprise requirements. Large customers will ask detailed questions about authentication in security reviews. A well-designed auth system — short-lived tokens, rotation, audit trails — directly addresses the most common concerns.
  • Fast incident response. If a token is compromised, you need to be able to invalidate it immediately — not wait for it to expire naturally. The revocation system makes this instant.
  • Support for multiple authentication methods. Human users log in with passwords or SSO; machine integrations use API keys. Both paths are first-class citizens, with appropriate security controls for each.
  • Auditability. Every login, token refresh, and revocation is logged. If something suspicious happens, your security team has the data they need to investigate.

How It Works (No Technical Jargon)

For Human Users

For Machine Integrations

Revocation

Security Keys and Rotation

The platform uses cryptographic keys to sign tokens — a way of mathematically proving that a token was issued by the platform and hasn't been tampered with. These keys need to be rotated periodically (replaced with new ones) as a security best practice.

Key rotation is handled carefully to avoid disrupting active sessions:
- New keys are published before old ones expire
- Tokens signed with old keys continue to work during a transition window
- Once the transition is complete, old keys are retired
- Key rotation events are logged and can trigger alerts

What You Can See and Control

From the admin dashboard:
- Active sessions per user — and the ability to terminate any of them
- A log of recent authentication events: logins, token refreshes, failed attempts, revocations
- Alerts for suspicious activity (e.g., the same account logging in from two different countries in quick succession)

What to Expect on the Roadmap

The team is building:

1. A Redis-backed revocation list for instant token invalidation (estimated 2 weeks)
2. Automated tests for key rotation scenarios, running in CI on every code change (estimated 1 week)

These improvements will harden the authentication layer significantly and give you verifiable, testable proof of the security controls you're promising to customers.