fb8a932923
Rate-limit the optional agent bearer path after user auth resolution so mixed user/agent routes no longer leave an unthrottled PBKDF2 path. Stop logging token prefixes on agent auth failures and require a locally supplied token for backend/.env.test instead of committing one. Update tests and docs to cover agent bearer fallback, configurable webhook signature headers, and the operator-facing security settings added by the hardening work. Co-Authored-By: Claude <noreply@anthropic.com>
40 lines
949 B
Markdown
40 lines
949 B
Markdown
# Authentication
|
|
|
|
Mission Control supports two auth modes via `AUTH_MODE`:
|
|
|
|
- `local`: shared bearer token auth for self-hosted deployments
|
|
- `clerk`: Clerk JWT auth
|
|
|
|
## Local mode
|
|
|
|
Backend:
|
|
|
|
- `AUTH_MODE=local`
|
|
- `LOCAL_AUTH_TOKEN=<token>`
|
|
|
|
Frontend:
|
|
|
|
- `NEXT_PUBLIC_AUTH_MODE=local`
|
|
- Provide the token via the login UI.
|
|
|
|
## Clerk mode
|
|
|
|
Backend:
|
|
|
|
- `AUTH_MODE=clerk`
|
|
- `CLERK_SECRET_KEY=<secret>`
|
|
|
|
Frontend:
|
|
|
|
- `NEXT_PUBLIC_AUTH_MODE=clerk`
|
|
- `NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=<key>`
|
|
|
|
## Agent authentication
|
|
|
|
Autonomous agents primarily authenticate via an `X-Agent-Token` header. On shared user/agent routes, the backend also accepts `Authorization: Bearer <agent-token>` after user auth does not resolve. See [API reference](api.md) for details.
|
|
|
|
Security notes:
|
|
|
|
- Agent auth is rate-limited to **20 requests per 60 seconds per IP**. Exceeding this returns `429 Too Many Requests`.
|
|
- Authentication failure logs never include token material.
|