Security Architecture: Auth, Credential Vault, API Keys, and Access Control

Fluxo uses Better Auth with:

• email/password auth
• trusted social providers (Google, GitHub, Dropbox)
• account linking
• session-backed protected procedures

Every protected request resolves active organization context server-side before business logic. This prevents cross-tenant access bugs and keeps authorization logic consistent.

Credentials are encrypted at rest using an application encryption key before persistence. At runtime, decrypt happens only where needed for provider calls.

I also enforce credential type alignment so a node cannot accidentally use an incompatible credential class.

I enforce access at multiple levels:

• role-level guards (OWNER, ADMIN, PARTICIPANT, REVIEWER)
• asset-level selected permissions for workflows and credentials
• operation-level checks (view vs edit)

Reviewer role is constrained by design to avoid accidental privilege bleed.

I implemented organization-scoped API keys with:

• hash-only storage
• one-time raw key reveal
• prefix display for management
• scopes (review read/write/approve and webhook scopes)
• revoke and expiry controls

Request auth uses bearer key verification, scope checks, and last-used timestamp updates.

Outgoing review webhooks are signed with HMAC SHA-256 per endpoint secret and include delivery ids. Delivery attempts are persisted with response status/body and retry metadata.

For public review links and quick actions, I use hashed tokens with expiration and usage tracking. Session actions log actor label, IP, and user-agent for auditability.

Security in Fluxo scales because it is consistent. Auth, org context, role checks, and tokenized external access all align to the same organization boundary. That consistency is what keeps new features secure by default.