Documentation/Security/Authentication

Authentication

Security and access control for the Sensei AI platform.

Note: The current deployment does not have authentication enabled on the admin dashboard. This is intentional for internal team use. For production with external access, authentication should be added.

Access Levels

Admin Dashboard

Internal team access

The admin dashboard at /admin is used by the internal team to:

• Create and manage clients
• Configure chatbot settings
• Manage knowledge bases
• View leads and sessions

Public APIs

Widget and chat endpoints

Public endpoints are protected by client ID validation:

• /api/chat - Requires valid clientId
• /api/lead - Requires valid clientId
• /api/widget/config - Requires valid clientId

Security Model

Client ID Validation

All API requests require a valid client ID. The system validates that:

1. The client ID exists in the database
2. The client is active
3. Data returned is scoped to that client only

// Example: Chat API validates client
const { data: client } = await supabase
  .from('clients')
  .select('id')
  .eq('id', clientId)
  .single()

if (!client) {
  return { error: 'Invalid client ID' }
}

Adding Authentication (Future)

Recommended Approaches

Option 1: Supabase Auth

Use Supabase's built-in authentication with email/password or social logins. Integrates seamlessly with the existing database.

Option 2: NextAuth.js

Add NextAuth.js for flexible authentication with multiple providers (Google, GitHub, credentials, etc.).

Option 3: Clerk

Use Clerk for a complete authentication solution with user management, organizations, and role-based access control.

Security Best Practices

• Keep API keys secure and never commit them to version control

• Use environment variables for all sensitive configuration

• Limit admin dashboard access to trusted team members

• Regularly rotate API keys

• Monitor API usage for unusual patterns