Skip to content
Mimic Docs

Authentication

Mimic supports session authentication for user traffic and API key authentication for worker callbacks.

User session auth

  • Applies to /app/* and most /api/* routes.
  • Session cookie is set after login.
  • Route handlers read event.locals.user and reject unauthenticated requests.

Worker and service auth

Some machine endpoints require explicit API keys or signed webhook verification.

Typical patterns:

  • x-api-key header for trusted service-to-service calls
  • Stripe signature verification for billing webhooks
  • Scoped machine credentials for callback endpoints

Authorization model

Authentication alone is not sufficient. Handlers must also enforce organization ownership:

  • Query by resource ID and organization ID together.
  • Reject cross-org access with 403 responses.

Error contract

Recommended auth response payload:

{
  "error": "unauthorized",
  "message": "Authentication required"
}

Use 401 for missing/invalid auth and 403 for authenticated-but-forbidden access.

Hardening checklist

  • Validate payload shape with Zod before side effects.
  • Keep secrets in environment variables only.
  • Rotate API keys on compromise or operator turnover.
  • Log auth failures with request context and no secret values.