Authentication

Sessions, passkeys, tenant scoping, and authorization

Authentication

Nexus uses session-based auth (Lucia) in the web and sandbox apps. The API platform uses bearer API keys. All privileged operations are tenant-scoped.

Session auth (dashboard)

  • Email/password and passkeys (WebAuthn)
  • Optional MFA completion flow after primary auth
  • Enterprise tenants may enforce SSO (SAML/OIDC). Contact sales for enterprise SSO setup.

Authorization pattern

const session = await getSession()
if (!session || session.tenantId !== input.tenantId) {
  return Response.json(
    { error: { code: 'UNAUTHORIZED', message: 'Not signed in or wrong tenant' } },
    { status: 401 },
  )
}

Security guarantees

  • Tenant boundary on every sensitive query (plus PostgreSQL RLS).
  • Agent, trigger, and workflow lookups always include tenantId.
  • API keys are hashed at rest (Argon2id); platform keys use timing-safe verify.
  • Unauthorized API calls return 401 JSON, not redirects.

API platform auth

Authorization: Bearer hdl_live_...

Scope checks run before any database access. See API keys.

Continue with MFA for passkey registration and session hardening.