Authentication

RedStick AI uses email/password authentication. New users can create a brand-new workspace via public signup, or join an existing workspace via an email invitation from a workspace owner or admin. Provider credentials (Anthropic, OpenAI, and others) are managed separately under Providers and are not part of the sign-in flow.

Signup#

Create a new workspace by providing:

  • Workspace name and slug (3-63 chars, lowercase, numbers, hyphens; cannot be a reserved word such as www, api, admin)
  • Display name (your name as shown to teammates)
  • Email and password (8+ chars with uppercase, lowercase, digit, special character; common passwords are blocked)
  • Consent checkbox accepting the Privacy Policy and Terms of Service

A real-time password strength indicator helps you choose a strong password. After signup, verify your email via the link sent to your inbox.

Rate limiting: Signups are limited to 3 per IP address within a 15-minute window.

Login#

Navigate to your workspace URL and enter your email and password. In production each workspace is accessed at its own subdomain (<slug>.redstick.ai); in development all workspaces share localhost:5173/w/<slug>. Failed login attempts are rate-limited:

  • 5 attempts per email address per 15-minute window
  • 20 attempts per IP address per 15-minute window

In addition to rate limiting, a per-email account lockout applies: 5 consecutive failed login attempts lock the account for 15 minutes. The lockout resets automatically after the window expires or on a successful login.

Sessions use a hybrid Redis+PostgreSQL model with a rolling 7-day TTL (the clock resets on every authenticated request). Redis serves as the hot read path; PostgreSQL provides durable session history and concurrent-session enforcement. In production, session cookies use the __Host- prefix for enhanced security.

Anthropic Provider — OAuth PKCE Connection#

Development environments only. The OAuth PKCE flow is disabled in production per Anthropic's ToS; the Connect with Claude button is hidden and the /api/auth/oauth/claude/start and /api/auth/oauth/claude/exchange endpoints return 404 when APP_ENV is not development.

As an alternative to pasting an Anthropic API key in a local/dev environment, you can connect your Anthropic account via the OAuth PKCE flow. This is a provider credential flow, not a sign-in method:

  1. Go to Providers and click Connect with Claude →
  2. A new tab opens to claude.ai for authorization
  3. Approve the connection and copy the authorization code shown
  4. Paste the code back into the Authorization Code field and click Complete connection

This stores an OAuth access token and refresh token as your Anthropic provider credential (provider type claude_oauth). No API key is created or retrieved from the Anthropic Console; the OAuth token itself is used for inference and is refreshed automatically when it expires.

Email Verification#

Unverified accounts have limited functionality. The verification token expires after 24 hours. You can request a new verification email from the Verify your email page that appears after signup, or from the email-verification gate shown when you log in with an unverified account.

Password Reset#

  1. Click Forgot Password on the login page
  2. Enter your email address
  3. Check your inbox for a reset link (valid for 1 hour)
  4. Set a new password

Password resets invalidate all existing sessions for security. You cannot reuse a recent password — the system checks your password history and rejects previously used passwords.

Rate limiting: Password reset requests are rate-limited by IP address.

Session Management#

View and manage your active sessions from Profile:

  • See all active sessions with IP address and user agent
  • Revoke any session except your current one
  • Sessions automatically expire after 7 days (rolling — the TTL resets on each request)
  • Concurrent session limit: Maximum 10 sessions per user — oldest sessions are automatically evicted when the limit is reached

MFA Enforcement#

Workspace owners and admins can require all members to use multi-factor authentication. The workspace-level toggle is under Settings → Security (visible to admins and owners):

  • When MFA enforcement is enabled on a workspace, users without MFA enrolled receive a 403 error on all authenticated endpoints until they enroll
  • Enroll via Profile → Security using a TOTP authenticator app
  • 8 single-use backup codes are provided during enrollment for account recovery

Provider API Keys#

Store credentials for AI providers (Anthropic, OpenAI, and others) securely:

  • Keys are encrypted at rest using AES-256-GCM encryption
  • Only the last 4 characters (suffix) are displayed after saving
  • Keys can be verified for validity with a health check
  • Each user can have one key per provider
  • Use Refresh models to re-fetch the provider's model catalog and repopulate the model picker
  • Use Set default model to pin a specific model for a credential

Account Default: One credential per workspace can be designated as the account default. Projects that have not overridden their provider use this default credential at execution time. The first credential you add is automatically set as the default; you can reassign it at any time from the Providers page.

Find Your Workspace#

If you have forgotten your workspace URL, use the Find your workspace flow on the login page:

  1. Click Find your workspace
  2. Enter your email address
  3. If an account exists for that email, a recovery email is sent with your workspace URL

The response is always identical regardless of whether an account exists, to prevent email enumeration. Requests are rate-limited to 1 per email per minute.

Export Your Data#

You can download a copy of all data associated with your account (GDPR Art. 20):

  1. Go to Profile → Account
  2. Click Export data
  3. A JSON file is returned immediately containing your profile, consent record, audit log, API keys, SSH key, notification preferences, and MFA enrollment status

Exports are rate-limited to 1 per hour.

Delete Your Account#

You can permanently delete your account and all associated data (GDPR Art. 17):

  1. Go to Profile → Account
  2. Click Delete account
  3. Confirm your password when prompted

Account deletion removes all your data from the platform, revokes all active sessions, and cannot be undone.