Skip to content

HG Content Internal Documentation

Security & Auth

Initializing search

Home
Core Documentation
Module Plans
API Reference
Tutorials
Architecture
Reference
Testing
Development
Deployment & Operations
Examples

HG Content Internal Documentation

Home
Core Documentation
Core Documentation
Module Plans
Module Plans
API Reference
API Reference
Tutorials
Tutorials
Architecture
Architecture
Reference
Reference
- Environment Variables
- Security & Auth Security & Auth
  Table of contents
- Versioning
- Troubleshooting
Testing
Testing
Development
Development
Deployment & Operations
Deployment & Operations
- Vercel Configuration
- Deploy Ollama
- Monorepo Setup
- Deployment Scalability
- Internal Deployment
  Internal Deployment
- Internal Operations
  Internal Operations
  - Production Readiness
  - Observability
Examples
Examples

Table of contents

Frontend App (Supabase Session)
Frontend API Routes (Next.js)
CPM (Content Production Module)
External API (Public v1)
Least Privilege & Storage
CORS and Network
Secrets Management
Common Pitfalls

Security & Authentication¶

This page summarizes authentication and authorization across the system.

Frontend App (Supabase Session)¶

Uses Supabase Auth; user must be authenticated to access the dashboard.
Email verification enforced when ENABLE_EMAIL_VERIFICATION=true (no super-admin bypass).
Onboarding enforced when ENABLE_ONBOARDING=true.

Frontend API Routes (Next.js)¶

Inherit Supabase session; most routes require an authenticated user.
Dev convenience: some routes support a dev bearer token; see source for getAuthUserId behavior.

CPM (Content Production Module)¶

Auth via API keys (Bearer), hashed and stored with usage/rate limits.
Rate limiting via Redis (if REDIS_URL set) or in-memory fallback.
Permissions per key: read, write, admin; enforced by dependencies.
Endpoints expose OpenAPI at /openapi.json, interactive docs at /docs.

External API (Public v1)¶

Auth via X-API-Key header.
Dev override: set EXTERNAL_TEST_API_KEY and EXTERNAL_TEST_CLIENT_ID to enable local testing.
Rate limits enforced per-key (in-memory defaults shown; can be extended with Redis).

Least Privilege & Storage¶

Store only bcrypt-hashed API keys; never log full tokens (use key prefix for logging).
Rotate keys periodically; expire keys via expires_at where applicable.
Scope keys to minimal permissions needed (e.g., read vs write).

CORS and Network¶

CPM and External APIs default to permissive CORS for development; restrict origins in production.
Prefer private networking for Ollama; avoid exposing it publicly without access controls.

Secrets Management¶

Use environment variables for secrets; avoid committing keys.
For GitHub Actions, store secrets in repository/environment secrets.
Document and rotate secrets regularly (see Environment Variables reference).

Common Pitfalls¶

401/403 errors: verify correct header (Authorization: Bearer vs X-API-Key) and key validity.
422 validation errors: check payload shape; see OpenAPI examples.
RLS denials in Supabase: ensure client_users contains a row for the user and client.

For details, see the Environment Variables and REST API Overview.

October 27, 2025 October 27, 2025