Authentication

AeThex services use different credentials for people, browser sessions, tenants, integrations, and operators. They must not be mixed.

Field Value
Documentation status Active
Applies to Passport, KAEL, API clients, tenants, and integrations
Last source review 2026-06-26

Browser identity

KAEL currently supports:

  • An AeThex identity-provider redirect flow beginning at GET /auth/login.
  • A secure KAEL session cookie.
  • Email one-time-code requests through POST /auth/email.
  • Email code verification through POST /auth/verify.
  • Session inspection through GET /auth/me.
  • Logout through GET /auth/logout.

The session cookie is intended to be HttpOnly and Secure; browser JavaScript should not read it.

Passport context

After authentication, the runtime can resolve Passport profile and ARM membership information. That context contributes to server-calculated clearance.

The client must not grant itself a higher clearance level.

Tenant authentication

Approved server-side tenant integrations can supply x-tenant-key to tenant-aware endpoints.

Tenant keys can select:

  • Tenant prompt.
  • Tenant knowledge.
  • Model policy.
  • Tenant rate limits.

Never embed a tenant key in public browser JavaScript.

Operator authentication

Operator tokens authorize privileged KAEL operations. They are not user sessions and must remain in trusted server or operator environments.

Owner-level credentials can authorize particularly sensitive operations. They must be rotated if exposed and must never appear in documentation.

Webhook authentication

AeThex deployment webhooks require an HMAC signature in the configured Gitea or GitHub signature header. Discord interactions use Discord’s Ed25519 signature and timestamp headers.

See Webhooks.

Client checklist

  • Verify the hostname before signing in.
  • Use HTTPS.
  • Keep cookies out of logs.
  • Keep tenant and operator credentials server-side.
  • Validate redirect targets.
  • Rate-limit email code and verification attempts.
  • Clear sessions on logout.
  • Handle 401 and 403 differently.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9