estøkad

Auth & RBAC

Two layers, deliberately separated:

  • Editor authentication — how a human signs into the Studio. Magic links, passkeys, optional SAML/SCIM via the WorkOS-backed module.
  • API authentication — how a server or CLI talks to the API. Per-workspace API keys with scopes.

Authorization is layered on top of either: enum role membership baselines (owner, admin, member, billing), and the optional advanced RBAC module that adds field-level read/write permissions on top.

Editor sign-in

The default flow is email magic links via Resend. Self-hosted SMTP works too if the customer prefers.

Passkeys are registered after the first magic-link login from /settings. After registration, sign-in is a single click — no email round-trip. The private key never leaves the user's device.

For SAML/SCIM customers, the WorkOS module ($399/mo) backs the entire identity flow. Provisioning (SCIM) auto-creates Estokad memberships when an IdP group changes. JIT (just-in-time) is the default; pre-provisioning works the same way.

EU national IdPs — itsme (Belgium), Verimi (Germany), FranceConnect (France) — are configurable per-workspace under /settings/auth. Credentials never leave the EU.

API access

Issue keys per-workspace from /settings/api-keys. Four scopes:

  • read — published entries only
  • read_draft — published + drafts
  • write — content CRUD
  • management — schema, settings, billing

Plaintext is shown once at issuance. The server stores only a SHA-256 hash. Revoked keys keep their row for audit purposes.

Authorization

Two layers:

| Layer | Source | Effect | |---|---|---| | Enum role | memberships.role | Floor for content rights — owner/admin/member get full content perms; billing reads only | | Custom role | memberships.custom_role_id | Per-(content_type, field) deny rules |

The custom role layer is opt-in via the advanced RBAC module ($149/mo). The engine is always-on so existing rules stay enforced when a workspace lapses on the module — but new rule creation is gated.

In depth

  • API keys — how to issue them, scope them, rotate them.
  • Custom roles — field-level RBAC, the deny model, audit trail.