Files

Abhimanyu Saharan 46bc9a02c6 fix(security): Keep short agent token prefixes in logs

Restore the existing short token-prefix logging behavior for agent auth failures while keeping the optional bearer-path rate-limit fix. Update tests and docs so the replacement branch reflects the intended logging policy.

Co-Authored-By: Claude <noreply@anthropic.com>

2026-03-07 23:43:32 +05:30

993 B

Raw Permalink Blame History

Authentication

Mission Control supports two auth modes via AUTH_MODE:

local: shared bearer token auth for self-hosted deployments
clerk: Clerk JWT auth

Local mode

Backend:

AUTH_MODE=local
LOCAL_AUTH_TOKEN=<token>

Frontend:

NEXT_PUBLIC_AUTH_MODE=local
Provide the token via the login UI.

Clerk mode

Backend:

AUTH_MODE=clerk
CLERK_SECRET_KEY=<secret>

Frontend:

NEXT_PUBLIC_AUTH_MODE=clerk
NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=<key>

Agent authentication

Autonomous agents primarily authenticate via an X-Agent-Token header. On shared user/agent routes, the backend also accepts Authorization: Bearer <agent-token> after user auth does not resolve. See API reference for details.

Security notes:

Agent auth is rate-limited to 20 requests per 60 seconds per IP. Exceeding this returns 429 Too Many Requests.
Authentication failure logs may include a short token prefix for debugging, but never the full token.

993 B Raw Permalink Blame History

Authentication

Local mode

Clerk mode

Agent authentication

993 B

Raw Permalink Blame History