Thena Platform implements a robust security model based on Google’s Zanzibar authorization system, providing enterprise-grade security with fine-grained access control.

Authentication

User Authentication

curl -X POST https://api.thena.ai/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "user@example.com", "password": "your-password"}'

Authentication Methods

  1. JWT-Based Authentication

    • Secure token-based authentication
    • Configurable token expiration
    • Refresh token support

  2. SSO Integration

    • SAML 2.0 support
    • OpenID Connect
    • Custom SSO providers

  3. API Key Authentication

    • Secure machine-to-machine communication
    • Rate limiting and usage tracking
    • Key rotation policies

Authorization

Zanzibar-Style Authorization

Thena Platform uses a Zanzibar-inspired authorization system that provides:

  1. Fine-Grained Access Control

    • Object-level permissions
    • Relationship-based access
    • Dynamic permission evaluation

  2. Permission Types

    • Direct permissions
    • Inherited permissions
    • Computed permissions

  3. Access Levels

    • View
    • Edit
    • Admin
    • Custom roles

Permission Model

{
  "subject": {
    "type": "user",
    "id": "user123"
  },
  "object": {
    "type": "ticket",
    "id": "ticket456"
  },
  "relation": "can_view",
  "inheritance": ["team_member", "organization_admin"]
}

Scope Evaluation

The platform performs runtime scope evaluation to determine:

  1. User Context

    • Current organization
    • Team memberships
    • Role assignments

  2. Resource Access

    • Direct permissions
    • Inherited permissions
    • Temporary access grants

  3. Action Authorization

    • Operation-specific checks
    • Conditional logic
    • Policy enforcement

Best Practices

Security Implementation

  1. Token Management

    • Implement secure token storage
    • Regular token rotation
    • Proper token validation

  2. Permission Design

    • Follow principle of least privilege
    • Group related permissions
    • Regular permission audits

  3. Error Handling

    • Proper authentication errors
    • Clear authorization messages
    • Secure error logging

Integration Guidelines

  1. API Security

    • Use HTTPS only
    • Implement rate limiting
    • Validate all inputs

  2. Client Implementation

    • Secure credential storage
    • Token refresh handling
    • Error recovery

Common Use Cases

Multi-Tenant Security

Example Multi-Tenant Policy
{
  "policy": "organization_isolation",
  "rules": [
    {
      "resource": "*",
      "effect": "deny",
      "condition": "resource.org_id != user.org_id"
    }
  ]
}

Team-Based Access

Team Access Configuration
{
  "team_policy": {
    "inherit_from": "organization",
    "override": {
      "tickets": {
        "view": "team_members",
        "edit": "team_leads"
      }
    }
  }
}

Next Steps