Authentication

Redstick Agents supports email/password authentication and OAuth via Anthropic's Claude platform.

Signup#

Create a new workspace by providing:

  • Workspace name and slug (3-63 chars, lowercase, numbers, hyphens)
  • Email and password (8+ chars with uppercase, lowercase, digit, special character)

A real-time password strength indicator helps you choose a strong password. After signup, verify your email via the link sent to your inbox.

Rate limiting: Signups are limited to 3 per IP address within a 15-minute window.

Login#

Enter your workspace slug, email, and password. Failed login attempts are rate-limited:

  • 5 attempts per email address per 15-minute window
  • 20 attempts per IP address per 15-minute window

Sessions use a hybrid Redis+PostgreSQL model with a 7-day TTL. Redis serves as the hot read path; PostgreSQL provides durable session history and concurrent-session enforcement. In production, session cookies use the __Host- prefix for enhanced security.

OAuth (Anthropic)#

Connect your Anthropic account via OAuth PKCE flow:

  1. Go to Providers and click Connect with Claude
  2. You'll be redirected to Claude's authorization page
  3. Approve the connection
  4. You're redirected back with an API key stored securely

This provides a Claude API key without manually copying it from the Anthropic console.

Email Verification#

Unverified accounts have limited functionality. The verification token expires after 24 hours. You can request a new verification email from the login page.

Password Reset#

  1. Click Forgot Password on the login page
  2. Enter your email address
  3. Check your inbox for a reset link (valid for 1 hour)
  4. Set a new password

Password resets invalidate all existing sessions for security.

Rate limiting: Password reset requests are rate-limited by IP address.

Session Management#

View and manage your active sessions from Profile:

  • See all active sessions with IP address and user agent
  • Revoke any session except your current one
  • Sessions automatically expire after 7 days of inactivity
  • Concurrent session limit: Maximum 10 sessions per user — oldest sessions are automatically evicted when the limit is reached

MFA Enforcement#

Workspace owners and admins can require all members to use multi-factor authentication:

  • When MFA enforcement is enabled on a workspace, users without MFA enrolled receive a 403 error on all authenticated endpoints until they enroll
  • Enroll via Profile → Security using a TOTP authenticator app
  • Backup codes are provided during enrollment for account recovery

Provider API Keys#

Store your Claude API key securely:

  • Keys are encrypted at rest using AES-256-GCM encryption
  • Only the last 4 characters (suffix) are displayed after saving
  • Keys can be verified for validity with a health check
  • Each user can have one key per provider