Authentication

Platform (app.synapsex.ai)

Users authenticate via Google OAuth (NextAuth v5). Flow:
  1. User clicks “Sign in with Google”
  2. Google redirects back with auth code
  3. Platform provisions user via POST /api/v1/portal/provision-user
  4. JWT issued with org_id, access_token, role
  5. Session stored in encrypted cookie

API Authentication

API calls use Bearer tokens: 
Authorization: Bearer sx-your-api-key-here

Service-to-Service

Internal services (Orchestrator ↔ Manager ↔ MCP) use a shared JWT secret: 
SYNAPSEX_JWT_SECRET=your-32-char-shared-secret

JWT Token Structure

{
  "sub": "user@example.com",
  "org_id": "org_abc123",
  "role": "admin",
  "exp": 1744000000
}