CorvexCorvex Documentation
Platform APIs

Authentication

How the dashboard and internal routes trust users, companies, and server-only keys.

The app uses a split model:

  • the dashboard is accessed through normal app auth,
  • internal mutating routes are called from the signed-in UI,
  • and server-only operations use environment secrets that never reach the browser.

What to protect

  • SUPABASE_SERVICE_ROLE_KEY
  • payment-provider secret keys
  • MCP API keys and OAuth client secrets
  • Stripe connect or checkout secrets
  • any helper token used to reach private server routes

How the app scopes requests

The settings pages usually scope a request with one of these values:

  • companyId
  • workspaceId
  • a tenant subdomain
  • a portal or invoice identifier

That keeps portal and billing changes attached to the correct company.

Rule of thumb

If the browser can reach a secret, the boundary is wrong.

Platform APIs

The internal routes that back the dashboard, portal, billing, and MCP flows.

Webhooks

The event handling patterns used by billing and sync workflows.

On this page

What to protectHow the app scopes requestsRule of thumb