Docs

Security

NextAuth (GitHub OAuth) issues RS256 JWTs with a `tenant_id` claim, signed with `NEXTAUTH_JWT_PRIVATE_KEY`. Backend verifies every request via `/.well-known/jwks.json` against `NEXTAUTH_JWT_PUBLIC_KEY`; missing or bad signatures return 401.

Multi-tenancy is enforced at the Postgres layer with row-level security keyed on tenant_id. Two tenants indexing the same repo never see each other's chunks; the multi-tenant gate test in CI proves this end-to-end.

CLI tokens are 30-day JWTs. To revoke all CLI sessions, rotate `NEXTAUTH_JWT_PRIVATE_KEY`. Per-token revocation is not yet supported.

No API key, billing, or seat controls are exposed in the v0 application settings - see /console/settings for the current surface.