Skip to Content
A8n Documentation v1.0.0 is released 🎉
DocumentationFeaturesSecurity

Security

This page documents the current implementation in the repository today.

Authentication and Session Control

Platform access is authenticated through Keycloak.

Current characteristics:

  • session expiry is governed by Keycloak realm policy
  • the frontend performs heartbeat-based session checks
  • expired protected sessions redirect back to sign-in
  • repository-linked identity provider flows can be brokered through Keycloak

Resource Ownership

The backend consistently resolves the authenticated user and scopes many project and deployment operations to that user.

In practical terms, the current product already enforces:

  • user-owned monolith project access
  • user-owned microservice project access
  • user-owned database deployment access

That ownership model is one of the real security boundaries present in the code today.

Runtime Credentials and Secrets

The current implementation is primarily Kubernetes-secret-first in active runtime flows.

Examples in the current codebase:

  • single-db auth secrets
  • TLS secret validation/copying
  • cluster credential generation into Kubernetes Secrets
  • backup credential secrets for object storage access

Some domain models still contain fields such as vaultPath or isVaultSecret, but the active runtime flows in this repository should not be documented as fully Vault-driven end to end.

Webhook Secret Protection

Webhook secrets are a real current feature in the monolith flow.

The backend includes support for:

  • secret generation
  • encryption
  • decryption
  • request signature verification

That is a stronger and more accurate statement than simply saying “webhooks exist.”

Network and Namespace Isolation

The platform uses namespace- and runtime-level isolation patterns such as:

  • workspace namespaces
  • resource quota enforcement
  • project and deployment routing through platform-managed domains
  • TLS-backed ingress and gateway flows

This is also visible in the current database and workspace provisioning behavior.

Scanning and Security Tooling

Current repo evidence shows:

  • project-scoped SonarQube summary/access APIs are real
  • the image scanner UI exists in the frontend

However, the current scanner page is still more preview-oriented than a fully live Harbor security console.

So the accurate documentation stance is:

  • SonarQube integration is real
  • security scanning UX exists
  • the current image-scanner page should not be oversold as a fully live policy-enforcement center
Monitoring & ObservabilityCLI Reference