For developers
Tenant-scoped auth tokens
Every reset / invite / email-verify token carries a signed tenant binding. A link issued for workspace A can't be consumed inside workspace B.
Last updated May 19, 2026
Tokens are HMAC-SHA256 signed with the AUTH_TOKEN_SECRET environment variable. The payload includes { sub, kind, exp, nonce, tnt? }. The tenant slug (tnt) is optional — platform-level tokens omit it.
Verification
import { verifyToken } from "@/lib/auth-tokens"
const v = verifyToken(token, "password-reset")
if (!v.ok) return res.status(400).json({ error: v.reason })
// payload.tnt is the workspace slug. Compare against the URL
// slug; reject mismatches to prevent cross-tenant token reuse.
if (v.payload.tnt && v.payload.tnt !== urlTenantSlug) {
return res.status(403).json({ error: "tenant-mismatch" })
}