OOsstblok

Auth & OIDC

Email+password out of the box, OIDC single sign-on via one env var, personal access tokens for the management API and MCP.

Three auth surfaces

  • Admin UI → session cookie (Better Auth). Login at /login, signup at /login?mode=signup.

  • CDN API → ?token= query parameter. Three default tokens per space: public / preview / private.

  • Management API → Authorization: Bearer <sbmgmt_... or sbmcp_...>. Tokens are HMAC-hashed at rest.

Enable OIDC SSO

Set OIDC_ISSUER_URL to any OIDC-compliant IdP (Keycloak, Authentik, Auth0, Okta, Google). Email+password login disables automatically; the IdP becomes the single entry.

.env
OIDC_ISSUER_URL=https://auth.example.com/realms/main
OIDC_CLIENT_ID=osstblok
OIDC_CLIENT_SECRET=...

# optional
OIDC_PROVIDER_ID=keycloak
OIDC_DISPLAY_NAME=Company SSO
OIDC_SCOPES=openid,email,profile
OIDC_TRUST_EMAIL=false   # opt-in: merge OIDC + email accounts with matching verified email
Minimum OIDC config.

Roles

Per-space roles: admin, editor, viewer. The useSpaceRole composable exposes canEdit / canAdmin / isViewer flags to the admin UI. Every security-sensitive mutation is written to an append-only audit log (GET /v1/spaces/:spaceId/audit_log).