Auth And Security
The platform is the security gateway for the public product surfaces.
If a browser operator, a service integration, a runtime process, and a worker process all talk to the same product, the platform is the layer that has to keep those identities separate and predictable.
Authentication Styles
Section titled “Authentication Styles”The platform supports multiple identity paths, including:
- API keys for services, operators, runtimes, and workers
- JWT-backed browser sessions
- SSO flows where configured
That combination exists because the product supports both interactive operator use and machine-to-machine operation.
Scope Model
Section titled “Scope Model”Platform routes are protected by scope-aware handlers. Common scopes in the codebase include:
adminagentworkerservice
That model matters because not every caller should be allowed to mutate workflow state or publish execution output.
Security Responsibilities
Section titled “Security Responsibilities”At the platform layer, key responsibilities include:
- identity and scope enforcement
- request validation
- CSRF protection for cookie-backed flows
- protection of workflow and operator records
- secure handling of integration and provider configuration
Boundary With Runtime
Section titled “Boundary With Runtime”The platform decides who is allowed to do what. The runtime enforces the execution contract it is given. Those are related but distinct security responsibilities.