Authentication
How DevDocs user sessions and service access should protect docs operations.
DevDocs authentication should make the public docs surface easy to read while keeping publishing, domain, and API-execution controls protected.
Identity model
DevDocs uses the shared DevDocs account system for human access. The docs site can stay public, but protected surfaces should know:
- the signed-in user
- the active organization
- the user role in that organization
- whether the route is public, preview-only, or operator-only
API access
Core API calls should use bearer credentials, not long-lived secrets embedded in docs pages.
| Credential | Intended use | Storage expectation |
|---|---|---|
| User session | Browser access to protected DevDocs UI | Managed by the auth provider |
| Service token | Backend automation and deployment workflows | Server-side only |
| Playground credential | Temporary request execution against a documented API | Session-scoped and redacted |
Playground credential rules
The OpenAPI playground should treat credentials as sensitive input:
- never persist raw API keys in the docs database in V1
- mask tokens in the UI after entry
- redact
Authorization, cookies, and secret-like headers from logs - prefer same-origin demo execution until the proxy is hardened
- require an explicit allowlist before proxying external targets
Failure behavior
Authentication failures should be easy to diagnose without leaking secrets:
401means the caller needs to authenticate403means the caller is authenticated but lacks permission404can be used when revealing the existence of a resource would leak tenancy429means the caller should retry later