Skip to main content

core-auth-service

The authentication and authorization backbone of the CROW platform. Manages user sessions via Better Auth, issues JWTs for internal service communication, handles API key lifecycle, and orchestrates the multi-step onboarding flow.

Worker name: crow-core-auth-service Domain (prod): internal.auth-api.crowai.dev Domain (dev): dev.internal.auth-api.crowai.dev

Schema

user

ColumnTypeNotes
idtext PKBetter Auth user ID
nametext
emailtextunique
emailVerifiedbooleandefault false
imagetextnullable
isAnonymousbooleandefault false
createdAttimestamp
updatedAttimestamp

session

ColumnTypeNotes
idtext PK
tokentextunique
expiresAttimestamp
ipAddresstextnullable
userAgenttextnullable
userIdtext FKreferences user.id
activeOrganizationIdtextnullable, set by set-active
createdAttimestamp
updatedAttimestamp

account

ColumnTypeNotes
idtext PK
accountIdtextprovider-specific ID
providerIdtextcredential, google, etc.
userIdtext FKreferences user.id
accessTokentextnullable
refreshTokentextnullable
idTokentextnullable
passwordtextnullable, hashed
scopetextnullable
createdAttimestamp
updatedAttimestamp

organization

Better Auth organization plugin table.

ColumnTypeNotes
idtext PKBetter Auth org ID
nametext
slugtextunique
logotextnullable
metadatatextnullable, JSON
createdAttimestamp

member

ColumnTypeNotes
idtext PK
organizationIdtext FKreferences organization.id
userIdtext FKreferences user.id
roletextowner, admin, member
createdAttimestamp

invitation

ColumnTypeNotes
idtext PK
organizationIdtext FK
emailtext
roletext
statustextdefault pending
expiresAttimestamp
inviterIdtext FKreferences user.id
createdAttimestamp

apikey

ColumnTypeNotes
idtext PK
nametextnullable
starttextnullable, key prefix display
prefixtextnullable
keytexthashed key
userIdtext FK
enabledbooleandefault true
rateLimitEnabledbooleandefault false
rateLimitTimeWindowintegernullable
rateLimitMaxintegernullable
requestCountintegerdefault 0
remainingintegernullable
expiresAttimestampnullable
permissionstextnullable, JSON
metadatatextnullable, JSON (includes organizationId)
createdAttimestamp
updatedAttimestamp

onboarding

ColumnTypeNotes
idtext PK
betterAuthUserIdtext
betterAuthOrgIdtextnullable
orgBuilderIdtextnullable
userBuilderIdtextnullable
billingBuilderIdtextnullable
currentStepintegerdefault 1
completedStepstextJSON array
productSourcetextnullable
sourcestextJSON
statustextdefault in_progress
createdAttimestamp
completedAttimestampnullable

verification

Better Auth verification tokens (email verify, password reset).

jwks

ColumnTypeNotes
idtext PK
publicKeytextJWK public key
privateKeytextJWK private key
createdAttimestamp

Routes

Better Auth Routes (proxied)

All routes matching /api/v1/auth/{sign-up,sign-in,sign-out,session,get-session,user,callback,verify-email,reset-password,change-password,forgot-password,update-user,organization,invite,token,jwks,api-key}/* are proxied directly to Better Auth's handler.

Notable routes:

  • POST /api/v1/auth/sign-up/email -- email/password registration
  • POST /api/v1/auth/sign-in/email -- email/password login
  • GET /api/v1/auth/get-session -- returns current session + activeOrganizationId
  • GET /api/v1/auth/token -- returns JWT for the authenticated session
  • GET /api/v1/auth/jwks -- public JWKS for JWT verification
  • POST /api/v1/auth/organization/create -- creates org (triggers sync to org+user services)
  • POST /api/v1/auth/organization/set-active -- sets active org on session
  • POST /api/v1/auth/api-key/create -- creates an API key

Custom Routes

MethodPathDescription
POST/api/v1/auth/api-key/verifyVerifies an API key (internal, requires X-Service-API-Key)
POST/api/v1/auth/api-key/system-tokenIssues a system JWT for an API key holder
*/api/v1/auth/jwt/*JWT-related routes
*/api/v1/auth/onboarding/*Multi-step onboarding flow management
*/api/v1/auth/onboarding/callbacks/*Onboarding callback handlers
*/api/v1/auth/team-invitations/*Team invitation management
GET/healthHealth check
GET/readyReadiness check (includes DB health)

Environment Variables

VariableExampleNotes
ENVIRONMENTdevlocal, dev, prod
BETTER_AUTH_URLhttps://dev.api.crowai.devBase URL for Better Auth
PRODUCT_SERVICE_URLhttps://dev.internal.products.crowai.dev
AUTH_CLIENT_URLhttps://dev.auth.crowai.devRedirect URLs
NOTIFICATION_SERVICE_URLhttps://dev.internal.notifications.crowai.dev
USER_SERVICE_URLhttps://dev.internal.users.crowai.dev
BILLING_SERVICE_URLhttps://dev.internal.billing.crowai.dev
ORGANIZATION_SERVICE_URLhttps://dev.internal.orgs.crowai.dev
DASHBOARD_URLhttps://dev.app.crowai.dev

Secrets

SecretPurpose
BETTER_AUTH_SECRETSession signing key
GOOGLE_CLIENT_IDGoogle OAuth client ID
GOOGLE_CLIENT_SECRETGoogle OAuth client secret
SERVICE_API_KEY_USERKey for calling user service
SERVICE_API_KEY_ORGANIZATIONKey for calling org service
SERVICE_API_KEY_BILLINGKey for calling billing service
SERVICE_API_KEY_NOTIFICATIONKey for calling notification service
SERVICE_API_KEY_PRODUCTKey for calling product service
SERVICE_API_KEY_GATEWAYAccepted from gateway
SERVICE_API_KEY_WEB_INGESTAccepted from web-ingest service

Bindings

BindingTypeName
DBD1crow-core-auth-service-db
PRODUCT_CRAWL_QUEUEQueue (producer)crow-product-crawl-queue

Dependencies

  • Outbound: user service (sync), org service (sync), notification service, billing service, product service
  • Inbound: gateway (session validation, JWT retrieval), all services (JWKS)

Key Behaviors

  • Org create sync: On POST /organization/create success, the service calls the org service and user service to create corresponding internal records (via syncOrgAndMember)
  • Email domain blocklist: Consumer domains (gmail, yahoo, outlook, etc.) are rejected at sign-up
  • Rate limiting: Map-based in-memory rate limiter on sign-in, sign-up, api-key/verify, and system JWT endpoints (300 requests max per window)
  • Cookie cache: Disabled (cookieCache: { enabled: false }) to prevent stale session data after set-active