Authentication

RedStick AI uses email/password authentication. New users join via an email invitation from a workspace owner or admin. Provider credentials (Anthropic, OpenAI, and others) are managed separately under Providers and are not part of the sign-in flow.

Signup#

Create a new workspace by providing:

  • Workspace name and slug (3-63 chars, lowercase, numbers, hyphens)
  • Email and password (8+ chars with uppercase, lowercase, digit, special character)

A real-time password strength indicator helps you choose a strong password. After signup, verify your email via the link sent to your inbox.

Rate limiting: Signups are limited to 3 per IP address within a 15-minute window.

Login#

Enter your workspace slug, email, and password. Failed login attempts are rate-limited:

  • 5 attempts per email address per 15-minute window
  • 20 attempts per IP address per 15-minute window

Sessions use a hybrid Redis+PostgreSQL model with a 7-day TTL. Redis serves as the hot read path; PostgreSQL provides durable session history and concurrent-session enforcement. In production, session cookies use the __Host- prefix for enhanced security.

Anthropic Provider — OAuth PKCE Connection#

As an alternative to pasting an Anthropic API key, you can connect your Anthropic account via the OAuth PKCE flow. This is a provider credential flow, not a sign-in method:

  1. Go to Providers and click Connect with Claude
  2. You'll be redirected to Claude's authorization page
  3. Approve the connection
  4. You're redirected back with an API key stored securely

This retrieves an Anthropic API key on your behalf without requiring you to copy it from the Anthropic console.

Email Verification#

Unverified accounts have limited functionality. The verification token expires after 24 hours. You can request a new verification email from the login page.

Password Reset#

  1. Click Forgot Password on the login page
  2. Enter your email address
  3. Check your inbox for a reset link (valid for 1 hour)
  4. Set a new password

Password resets invalidate all existing sessions for security.

Rate limiting: Password reset requests are rate-limited by IP address.

Session Management#

View and manage your active sessions from Profile:

  • See all active sessions with IP address and user agent
  • Revoke any session except your current one
  • Sessions automatically expire after 7 days of inactivity
  • Concurrent session limit: Maximum 10 sessions per user — oldest sessions are automatically evicted when the limit is reached

MFA Enforcement#

Workspace owners and admins can require all members to use multi-factor authentication:

  • When MFA enforcement is enabled on a workspace, users without MFA enrolled receive a 403 error on all authenticated endpoints until they enroll
  • Enroll via Profile → Security using a TOTP authenticator app
  • Backup codes are provided during enrollment for account recovery

Provider API Keys#

Store credentials for AI providers (Anthropic, OpenAI, and others) securely:

  • Keys are encrypted at rest using AES-256-GCM encryption
  • Only the last 4 characters (suffix) are displayed after saving
  • Keys can be verified for validity with a health check
  • Each user can have one key per provider