Skip to content

Security & Auth Overview

Security in Monozu Cloud is implemented at multiple layers: JWT-based authentication, role-based access control (RBAC), per-tenant data isolation via database Row-Level Security, and optional Microsoft Entra ID SSO.

Authentication mechanisms

Mechanism	Used by	Description
Email + password	Cloud SPA users	bcrypt-hashed passwords, optional TOTP MFA
Microsoft Entra ID (OIDC)	Cloud SPA, Management SPA	Per-tenant app registration or platform-level SSO
JWT access token	All API calls	Short-lived (default 60 min), carried in `Authorization: Bearer`
HttpOnly refresh cookie	Browser ↔ Cloud API	Long-lived (default 7 days), used to silently reissue access tokens
Provisioning key	Edge devices	Per-tenant key created in Settings → Edge registration keys
`X-Device-Key`	Edge → Ingestor	Device-specific key assigned at registration
`X-Internal-Token`	Cloud ↔ Management M2M	Shared secret, set in both Key Vaults
HMAC-SHA256	Management → Cloud webhook	Signed with `CLOUD_WEBHOOK_HMAC_SECRET`

Auth policy modes

The Cloud Backend supports two auth policy modes set via AUTH_POLICY:

Mode	Behavior
`standard` (default)	Email/password login + optional Entra ID SSO
`restricted`	Entra ID SSO only. Blocks `/auth/login`, `/auth/register`, `/auth/check-method`. User email must match `AUTH_ALLOWED_EMAIL_DOMAINS`.

Tenant isolation

All Cloud Backend data is isolated per tenant using Azure SQL Row-Level Security. See Multi-Tenancy for the implementation details.

Data access control

graph TD
    Request["Incoming request"] --> JWT["JWT middleware<br>validate + extract tenant_id, user_id"]
    JWT --> RBAC["RBAC middleware<br>check required permission"]
    RBAC --> Handler["Domain handler"]
    Handler --> RLS["Azure SQL RLS<br>SESSION_CONTEXT tenant_id enforced"]
    RLS --> Data["Tenant-scoped data"]

Key files

Concern	Location
Auth domain handlers	`Backend/internal/domain/auth/`
Auth middleware (JWT validation)	`Backend/internal/middleware/auth.go`
RBAC middleware	`Backend/internal/middleware/rbac.go`
Permission catalog	`Backend/internal/rbac/catalog.go`
Row-Level Security setup	`Backend/docs/deployment/row-level-security.md`
Frontend auth routes	`Frontend/src/routes/auth/`
Frontend auth store	`Frontend/lib/stores/authStore.ts`
Session restore (hydration)	`Frontend/src/components/SessionRestore.tsx`

JWT Flow — access and refresh token lifecycle
RBAC — permission groups and catalog
SSO & Entra ID — OIDC integration details