Authentication
Sessions, passkeys, tenant scoping, and authorization
Authentication
Nexus uses session-based auth (Lucia) in the web and sandbox apps. The API platform uses bearer API keys. All privileged operations are tenant-scoped.
Session auth (dashboard)
- Email/password and passkeys (WebAuthn)
- Optional MFA completion flow after primary auth
- Enterprise tenants may enforce SSO (SAML/OIDC). Contact sales for enterprise SSO setup.
Authorization pattern
const session = await getSession()
if (!session || session.tenantId !== input.tenantId) {
return Response.json(
{ error: { code: 'UNAUTHORIZED', message: 'Not signed in or wrong tenant' } },
{ status: 401 },
)
}Security guarantees
- Tenant boundary on every sensitive query (plus PostgreSQL RLS).
- Agent, trigger, and workflow lookups always include
tenantId. - API keys are hashed at rest (Argon2id); platform keys use timing-safe verify.
- Unauthorized API calls return 401 JSON, not redirects.
API platform auth
Authorization: Bearer hdl_live_...Scope checks run before any database access. See API keys.
Continue with MFA for passkey registration and session hardening.