AuthSecurity
Authentication
Token types and permission model for Teams, Clients, and MS Auth.
Token types
| Token | Used for | Common mistake |
|---|---|---|
dashboard_token | Team owner/admin routes (/teams, /client/apps, /server/servers) | Using it for launcher machine auth |
client_secret | Client-to-Axolite service calls (/client/ms-auth/*) | Embedding it in a public launcher binary |
axolite_session_token | Session token after user consent in MS auth flow | Reusing without validation |
Team and ownership model
- Every team has one owner (the user who created it).
- Roles are
owner,admin,member,viewer. - Authorization is evaluated as token + team membership + route policy.
Client credential model
- Each client has
client_idandclient_secret. client_secretis only returned on creation and rotation.- Always store
client_secretserver-side.
OAuth with Microsoft
- Client backend calls
/client/ms-auth/start. - User authenticates with Microsoft URL from
auth_url. - Axolite handles callback at
/client/ms-auth/callback. - User accepts consent at
/client/ms-auth/authorize. - Client polls
/client/ms-auth/poll. - Validate session using
/client/ms-auth/session/validate.
Gotchas
- Missing module activation returns
400on/client/ms-auth/start. - Missing
network_namefor network servers returns400. - Expired auth request returns
expiredstatus from consent endpoint.
Troubleshooting
- Rotate client secrets immediately on leak.
- Do not expose client secrets in browser JS or launcher binaries.
- Always validate
axolite_session_tokenbefore login success.