Skip to main content

Authentication

Authentication is how Lovelace knows who you are and what you're allowed to access. It's the foundation of security across the entire platform.

The Core Challenge

You need secure authentication that:

  • Works seamlessly across web, CLI, desktop, and API access
  • Doesn't rely on passwords (which get leaked, phished, and reused)
  • Supports both human users and automated services
  • Provides granular permission control

Lovelace solves this through a unified authentication system that adapts to different use cases while maintaining consistent security.

Authentication Methods

WebAuthn/Passkeys are the recommended approach for human users. Register your device (phone, laptop, security key), then authenticate with biometrics or a PIN. No passwords to remember, no credentials to phish. It's the most secure and fastest option.

OAuth flows enable delegated access. The authorization code flow works for web applications, device authorization flow handles CLI and desktop apps, and client credentials flow supports service-to-service communication. All are industry-standard protocols.

API keys provide long-lived tokens for programmatic access. They're configurable, scoped, revocable, and designed for automation and CI/CD pipelines.

Core Concepts

Users are individuals with email addresses and authentication credentials.

Accounts are containers for users, workspaces, and resources. One account can have multiple users with different permissions.

Sessions are active authentication periods. Web sessions use secure cookies, CLI sessions store credentials locally, and API sessions use short-lived access tokens with refresh capability.

Tokens are JWT-based authentication proofs carrying information about the user, their permissions (scopes), and when the token expires.

Scopes provide granular permission control—read projects, write agents, manage account, etc. You request only the permissions you need, implementing least privilege.

How It Works Across Products

The web application uses passkey authentication—simple, fast, secure.

The Developer Portal integrates with the main Accounts service via OAuth.

The CLI uses device authorization flow—you get a code, visit a URL, authorize, and the CLI receives tokens.

Studio inherits web app authentication with support for organization switching.

API integrations use Bearer token authentication with API keys.

Security Model

One account works across all products. Authentication is handled by the Accounts Service, which all products trust. This means you authenticate once and access everything, while maintaining fine-grained control over what each service can do.

Tokens are short-lived (access tokens expire after 15 minutes) with automatic refresh. This limits the damage from a leaked token while maintaining seamless user experience.

Sessions can be monitored and revoked instantly from account settings. If you see suspicious activity, end it immediately.

The Bigger Picture

Authentication in Lovelace isn't just about proving identity—it's about enabling secure collaboration while maintaining control. You can grant specific permissions to API keys, limit session durations, require approval for sensitive operations, and audit all authentication events.

The goal is security that's robust enough for production systems but smooth enough that users never think about it. When authentication is working correctly, it's invisible.

Related Concepts