Athena
Home
Environments
Environments
  • Development Server
  • Production
Home
Environments
Environments
  • Development Server
  • Production
  1. API Reference
  • Getting Started
    • Start Guide
  • Installation & Setup
    • Windows
  • Architecture
  • Guide
    • Bundles
      • Backend
    • Permissions
      • Frontend
    • Developers
      • Commit Lint
      • RESTful API
    • Workflows
      • Workflow Variables
  • API Reference
    • Authentication
      • Sign In
      • Logout
    • User
      • Get Authenticated User using Multiplai App Access Token
      • Get Authenticated User using Basic Token
    • Workspace
      • Get Workspaces Metrics
      • Get Workspaces
      • Update a Workspace
      • Retrieve a workspace
      • Delete a Workspace
    • Provider
      • Get Providers
      • Retrieve a Provider
      • Update a Provider
      • Create a Provider
      • Delete a Provider
    • Account
      • Get Accounts
      • Update an Account
      • Create an Account
      • Delete an Account
      • Retrieve an Account
    • Agent
      • Get Agents
      • Update an Agent
      • Create an Agent
      • Delete an Agent
      • Retrieve an Agent
      • Run an Agent
      • Train an Agent
      • Generate an Agent
      • Share Agent
      • Get Agent Leaderboard
    • Workflow
      • Get Workflows
      • Create a Workflow
      • Retrieve a Workflow
      • Update a Workflow
      • Delete a Workflow
      • Trigger a webhook
      • Share Workflow
      • Generate Workflow
    • Workflow Execution
      • Get Workflow Executions
      • Get Workflow Execution Counts
      • Retrieve a Workflow Execution
      • Delete a Workflow Execution
    • Prompt
      • Get Prompts
      • Create a Prompt
      • Retrieve a Prompt
      • Update a Prompt
      • Delete a Prompt
      • Run a prompt
    • Memory
      • Get Memories
      • Retrieve a Memory
      • Update a Memory
      • Delete a Memory
    • Thread
      • Get Threads
      • Retrieve a Thread
      • Update a Thread
      • Delete a Thread
      • Create a Thread
      • Run a Thread
      • Generate Thread Name
    • Message
      • Get Messages
      • Retrieve a Message
      • Update a Message
      • Delete a Message
      • Create a Message
    • Large Language Model
      • Get Large Language Models
      • Retrieve a Large Language Model
    • Command Room Task
      • Store Command Room Task
      • Remove Command Room Task
    • Metrics
      • Get Agents Metrics
      • Get Workflows Metrics
      • Get Threads Metrics
      • Get Messages Metrics
      • Get Workflow Executions Metrics
  • Schemas
    • Resources
      • User
      • Workspace
      • Provider
      • Account
      • Agent
      • Workflow
      • Share
      • WorkflowExecution
      • WorkflowExecutionData
      • Prompt
      • Memory
      • Thread
      • Attachment
      • Media
      • Tool
      • Message
      • LargeLanguageModel
      • AgentLeaderboard
    • Utils
      • Pagination
        • PaginationMeta
        • PaginationLinks
      • Provider
        • AuthenticationConfig
      • Profile
        • ProfilePhotoConfig
      • Workflow
        • WorkflowExecutionDataWorkflowData
        • Node
        • Edge
  1. API Reference

Authentication

Overview#

Athena implements a sophisticated dual authentication system designed to provide flexibility, security, and seamless integration with external platforms. The system combines traditional API token authentication with OAuth-based integrations, creating a unified authentication experience for both internal users and external service connections.

Core Authentication Concepts#

Dual Authentication Strategy#

Athena's authentication system operates on a cascading authentication model where multiple authentication methods are attempted in a specific priority order:
1.
Session-Based Authentication - Users already logged in via web sessions
2.
Multiplai OAuth Authentication - External OAuth provider integration
3.
Sanctum Token Authentication - API tokens for programmatic access
4.
Fallback Rejection - Clear error messaging when all methods fail
This approach ensures maximum compatibility while maintaining security standards.

Authentication Flow Priority#

The system evaluates authentication attempts in this order:
Incoming Request
    ↓
Check Session Authentication
    ↓ (if not authenticated)
Attempt Multiplai OAuth
    ↓ (if no Multiplai header or fails)
Try Sanctum Token
    ↓ (if no token or invalid)
Reject with Authentication Error

Authentication Methods#

1. Session-Based Authentication#

Purpose: Traditional web-based user sessions for frontend applications
How it works:
Users log in through the web interface using email/password
Laravel creates and manages secure session cookies
Subsequent requests are authenticated via session validation
Sessions automatically handle CSRF protection and security
Use cases:
Web application user interface
Administrative panels
Direct user interactions

2. Multiplai OAuth Integration#

Purpose: Seamless integration with the Multiplai platform ecosystem
How it works:
External requests include a special X-Multiplai-Authorization header
The system validates the OAuth token with the Multiplai API
User data is automatically synchronized and updated
Local user accounts are created or updated based on OAuth data
Organizations and permissions are synchronized
Key features:
Automatic User Sync - User profiles are updated with latest OAuth data
Email Verification Bypass - OAuth users are automatically verified
Organization Integration - Syncs user's organization memberships
Seamless Experience - No additional login required for Multiplai users

3. Sanctum Token Authentication#

Purpose: API access for applications, mobile apps, and automated systems
How it works:
Users authenticate and receive long-lived API tokens
Tokens are included in API requests via Authorization: Bearer header
Tokens can be scoped with specific permissions
Tokens can be revoked and managed individually
Key features:
Configurable Expiration - Tokens can have custom lifespans
Permission Scoping - Tokens can be limited to specific actions
Revocation Support - Tokens can be individually revoked
Multi-Device Support - Users can have multiple active tokens

Provider Integration System#

Flexible Authentication Strategies#

Athena supports multiple authentication strategies for connecting to external services:

OAuth 2.0 Integration#

Full OAuth 2.0 flow support with authorization codes
Automatic token refresh and management
Secure storage of access and refresh tokens
Support for custom scopes and permissions

Token-Based Authentication#

Direct API token integration for services
Support for various token types (Bearer, API Key, Custom Headers)
Flexible token placement (headers, query parameters, body)

Basic Authentication#

Traditional username/password authentication
Secure credential storage and management
Support for legacy systems requiring basic auth

Provider Configuration#

External service providers are configured with:
Authentication Strategy - Which authentication method to use
Connection Details - URLs, endpoints, and configuration
Credentials - Securely stored authentication data
Scopes & Permissions - What access the integration has

Security Architecture#

Multi-Layer Security#

1. Authentication Layer
Multiple authentication methods provide redundancy
Each method has independent security validation
Failed attempts are logged and monitored
2. Token Security
Sanctum tokens use cryptographically secure generation
OAuth tokens are validated against external providers
Token refresh mechanisms prevent stale credentials
3. Session Security
CSRF protection for web-based sessions
Secure cookie handling with appropriate flags
Session regeneration on authentication
4. Integration Security
External provider tokens are encrypted at rest
OAuth flows use state parameters to prevent CSRF
Provider credentials are stored using secure secret management

Rate Limiting & Protection#

Login Attempts - Rate limiting prevents brute force attacks
Token Usage - API rate limiting prevents abuse
OAuth Flows - State validation prevents replay attacks

User Synchronization#

Multiplai User Sync Process#

When users authenticate via Multiplai OAuth:
1.
User Profile Sync - Name, email, and profile data are updated
2.
Email Verification - OAuth users are automatically marked as verified
3.
Organization Sync - User's organization memberships are synchronized
4.
Workspace Access - Appropriate workspace permissions are assigned

Data Consistency#

The system ensures data consistency by:
Automatic Updates - User data is refreshed on each OAuth authentication
Conflict Resolution - OAuth data takes precedence over local changes
Audit Trails - All authentication events are logged for tracking

Workspace Integration#

Authentication Context#

Authentication is tightly integrated with Athena's workspace system:
Workspace Scoping - Authentication includes workspace context
Permission Inheritance - User roles are workspace-specific
Resource Access - Authentication determines workspace resource access

Multi-Tenant Authentication#

Users can belong to multiple workspaces with different roles
Authentication context automatically resolves the appropriate workspace
Permissions are dynamically scoped based on workspace membership

API Authentication Patterns#

Frontend Applications#

Recommended approach: Session-based authentication
Web applications use traditional cookie sessions
CSRF protection is automatically handled
Seamless user experience with automatic session management

Mobile Applications#

Recommended approach: Sanctum token authentication
Mobile apps authenticate and receive long-lived tokens
Tokens are stored securely on the device
Token refresh can be implemented for enhanced security

API Integrations#

Recommended approach: Provider-specific authentication
External integrations use appropriate authentication method
OAuth for platforms supporting it
Token-based for API-first services
Basic auth for legacy systems

Server-to-Server#

Recommended approach: Sanctum tokens with scoped permissions
Backend services use API tokens
Tokens are scoped to specific operations
Service accounts can be created for automated systems

Best Practices#

For Users#

Use strong passwords for account security
Enable two-factor authentication when available
Regularly review active sessions and revoke unused tokens
Keep OAuth connections up to date by re-authorizing when needed

For Developers#

Choose appropriate authentication method based on use case
Implement proper token storage and rotation
Handle authentication errors gracefully with proper fallbacks
Monitor authentication patterns for unusual activity

For Administrators#

Regularly audit user access and remove inactive accounts
Monitor OAuth integrations for security issues
Review authentication logs for suspicious patterns
Keep provider configurations updated with latest security settings

Common Scenarios#

Web Application Users#

1.
User visits the application
2.
Redirected to login page if not authenticated
3.
Enters email/password credentials
4.
Session is created and user gains access
5.
Subsequent requests use session authentication

Multiplai Platform Users#

1.
User is already authenticated on Multiplai platform
2.
Accesses Athena through Multiplai integration
3.
OAuth token is automatically validated
4.
User profile is synchronized
5.
Access is granted without additional login

API Developers#

1.
Developer creates account on Athena
2.
Generates API token with appropriate scopes
3.
Includes token in API requests via Authorization header
4.
API requests are processed with user's permissions

External Service Integration#

1.
User connects external service (e.g., Google Drive)
2.
OAuth flow redirects to external service
3.
User authorizes Athena to access their account
4.
Access and refresh tokens are securely stored
5.
Athena can now access external service on user's behalf

Troubleshooting#

Authentication Failures#

Session Issues
Clear browser cookies and cache
Check for CSRF token mismatches
Verify session storage is working
OAuth Problems
Verify OAuth provider configuration
Check that redirect URLs match exactly
Ensure OAuth tokens haven't expired
API Token Issues
Verify token is included in Authorization header
Check token hasn't been revoked or expired
Confirm token has appropriate scopes

Integration Problems#

Provider Authentication
Verify provider credentials are correct
Check if external service is accessible
Confirm authentication strategy matches provider requirements
Permission Errors
Verify user has appropriate workspace access
Check that required permissions are granted
Confirm resource visibility settings

Future Enhancements#

Planned Improvements#

Multi-Factor Authentication - Additional security layer for sensitive operations
Social Login Expansion - Support for additional OAuth providers (Google, GitHub, etc.)
Advanced Token Management - Automatic token rotation and enhanced scoping
Federated Identity - Support for enterprise identity providers (SAML, LDAP)

Security Roadmap#

Advanced Threat Detection - Monitor authentication patterns for suspicious activity
Enhanced Encryption - Upgrade token storage encryption methods
Compliance Features - Additional security controls for enterprise requirements
Audit Enhancements - More detailed logging and reporting capabilities

Summary#

Athena's authentication system provides a robust, flexible foundation for secure access control across the platform. By combining multiple authentication methods with a priority-based approach, the system ensures compatibility while maintaining security standards.
The dual authentication model seamlessly handles both internal users and external integrations, while the flexible provider system enables secure connections to a wide variety of external services. This architecture scales from individual developers to enterprise teams while maintaining consistent security and usability standards.
Modified at 2025-06-20 03:50:38
Previous
Workflow Variables
Next
Sign In
Built with