Authentication
PLai Framework uses multiple authentication methods depending on the context. This guide covers all authentication scenarios youβll encounter.
Dashboard Authentication
User Registration & Login
Email Verification
Check your email and click the verification link
Organization Setup
Create your first organization or accept an invitation
Project Access
Create a project or get invited to existing projects
Session Management
PLai Framework uses secure session cookies for dashboard authentication:
- Session Duration: Sessions last 30 days by default
- Auto-Renewal: Sessions renew automatically with activity
- Secure Cookies: All cookies are httpOnly and secure
API Authentication
JWT Tokens
API access uses JWT (JSON Web Tokens) for authentication:
// Example API call with JWT
const response = await fetch('https://api.plaisolutions.com/agents', {
headers: {
'Authorization': `Bearer ${jwt_token}`,
'Content-Type': 'application/json'
}
});
Token Types
User JWT
Authenticates user actions and personal resources
Project JWT
Provides access to project-specific resources
Obtaining Tokens
Dashboard Method:
// Tokens are automatically stored in cookies
const user_jwt = getCookie('user_jwt');
const project_jwt = getCookie('project_jwt');
curl -X POST https://api.plaisolutions.com/auth/login \
-H "Content-Type: application/json" \
-d '{"email": "user@example.com", "password": "password"}'
Organization & Project Access
Role-Based Access Control (RBAC)
PLai Framework implements fine-grained RBAC:
- Owner: Full organization control
- Admin: Manage users and projects
- Member: Access assigned projects
- Viewer: No access
- Owner: Full project control
- Admin: Manage project resources
- Member: Use agents, datasources and tools as project member
- Viewer: Read-only access
Permission Matrix
| Action | Viewer | Member | Admin | Owner |
|---|
| View Agents | β
| β
| β
| β
|
| Chat with Agents | β
| β
| β
| β
|
| Create Agents | β | β
| β
| β
|
| Manage Tools & Datasources | β | β
| β
| β
|
| View Analytics | β | β
| β
| β
|
| Manage Batches | β | β
| β
| β
|
| Billing Access | β | β | β | β
|
API Security
Rate Limiting
Weβre working on it.
Always include these headers in API requests:
const headers = {
'Authorization': `Bearer ${jwt_token}`,
'Content-Type': 'application/json',
'User-Agent': 'YourApp/1.0.0',
'X-API-Version': '1.0'
};
Environment-Specific Configuration
Development Environment
const config = {
apiUrl: 'https://staging.api.plaisolutions.com',
dashboardUrl: 'https://staging.framework.plaisolutions.com'
};
Production Environment
const config = {
apiUrl: 'https://api.plaisolutions.com',
dashboardUrl: 'https://framework.plaisolutions.com'
};
Error Handling
Common Authentication Errors
{
"error": "unauthorized",
"message": "Invalid or expired token",
"code": 401
}
Error Response Handling
async function handleApiRequest(url: string, options: RequestInit) {
const response = await fetch(url, options);
if (response.status === 401) {
// Token expired, redirect to login
window.location.href = '/auth/login';
return;
}
if (response.status === 403) {
// Insufficient permissions
throw new Error('You do not have permission to perform this action');
}
if (response.status === 429) {
// Rate limited
const retryAfter = response.headers.get('Retry-After');
throw new Error(`Rate limited. Retry after ${retryAfter} seconds`);
}
return response.json();
}
Security Best Practices
Never expose JWT tokens in client-side code or logs. Always use secure storage methods.
Rotate tokens regularly and implement proper token refresh mechanisms for long-running applications.
Token Storage
Web Applications
Mobile Applications
Server Applications
- Use httpOnly cookies for automatic inclusion
- Store in secure sessionStorage for manual handling
- Never use localStorage for sensitive tokens
- Use secure keychain/keystore storage
- Implement biometric authentication where available
- Clear tokens on app logout or uninstall
- Use environment variables or secure vaults
- Implement token refresh logic
- Log authentication events for audit
Next Steps
