Thena Platform implements a robust security model based on Google’s Zanzibar authorization system, providing enterprise-grade security with fine-grained access control.

Authentication

User Authentication

curl -X POST https://api.thena.ai/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "user@example.com", "password": "your-password"}'

Authentication Methods

  1. JWT-Based Authentication
    • Secure token-based authentication
    • Configurable token expiration
    • Refresh token support
  2. SSO Integration
    • SAML 2.0 support
    • OpenID Connect
    • Custom SSO providers
  3. API Key Authentication
    • Secure machine-to-machine communication
    • Rate limiting and usage tracking
    • Key rotation policies

Authorization

Zanzibar-Style Authorization

Thena Platform uses a Zanzibar-inspired authorization system that provides:
  1. Fine-Grained Access Control
    • Object-level permissions
    • Relationship-based access
    • Dynamic permission evaluation
  2. Permission Types
    • Direct permissions
    • Inherited permissions
    • Computed permissions
  3. Access Levels
    • View
    • Edit
    • Admin
    • Custom roles

Permission Model

{
  "subject": {
    "type": "user",
    "id": "user123"
  },
  "object": {
    "type": "ticket",
    "id": "ticket456"
  },
  "relation": "can_view",
  "inheritance": ["team_member", "organization_admin"]
}

Scope Evaluation

The platform performs runtime scope evaluation to determine:
  1. User Context
    • Current organization
    • Team memberships
    • Role assignments
  2. Resource Access
    • Direct permissions
    • Inherited permissions
    • Temporary access grants
  3. Action Authorization
    • Operation-specific checks
    • Conditional logic
    • Policy enforcement

Best Practices

Security Implementation

  1. Token Management
    • Implement secure token storage
    • Regular token rotation
    • Proper token validation
  2. Permission Design
    • Follow principle of least privilege
    • Group related permissions
    • Regular permission audits
  3. Error Handling
    • Proper authentication errors
    • Clear authorization messages
    • Secure error logging

Integration Guidelines

  1. API Security
    • Use HTTPS only
    • Implement rate limiting
    • Validate all inputs
  2. Client Implementation
    • Secure credential storage
    • Token refresh handling
    • Error recovery

Common Use Cases

Multi-Tenant Security

Example Multi-Tenant Policy
{
  "policy": "organization_isolation",
  "rules": [
    {
      "resource": "*",
      "effect": "deny",
      "condition": "resource.org_id != user.org_id"
    }
  ]
}

Team-Based Access

Team Access Configuration
{
  "team_policy": {
    "inherit_from": "organization",
    "override": {
      "tickets": {
        "view": "team_members",
        "edit": "team_leads"
      }
    }
  }
}

Next Steps