01.software Docs

Authentication & Keys

Use publishable keys, secret keys, CORS, and user access with the right trust boundary.

Authentication & Keys

Use this page before connecting a project, server, vendor, or AI agent to a workspace.

Key Types

CredentialUse forKeep out of
Publishable Keybrowser-safe reads from approved originsprivileged writes
Secret Keyserver-side writes and privileged workflowsbrowser code, logs, screenshots, commits
user accesshuman-scoped Console and OAuth actionsshared team automation
MCP accessapproved AI-agent inspection or setupbroad unattended changes

CORS And Origins

  • Add only the browser origins that should read workspace data.
  • Treat staging, preview, and production origins as separate approvals.
  • Remove old origins after domain changes or vendor offboarding.

Server Boundary

  • Put privileged work behind a trusted server route, server action, worker, or backend service.
  • Load Secret Key values from environment storage, not from checked-in code.
  • Rotate Secret Key ownership when the operator changes.

If a credential is unclear, stop and return to Integrations & Keys before implementation continues.

Next Actions

  • Browser reads: continue to SDK.
  • Direct HTTP work: continue to API.
  • Agent handoff: continue to MCP.

Developer Guide

Build against a workspace after scope, owners, and credentials are clear.

SDK

Use the TypeScript SDK for the default implementation path.

On this page

Authentication & KeysKey TypesCORS And OriginsServer BoundaryNext Actions