Access controls
Beakr uses JWT-based authentication, API key authentication, role-based access control, and CSRF protection to secure every request.
Authentication
Beakr supports two authentication methods:
User authentication (Clerk)
JWT-based authentication through Clerk, a SOC 2 Type II certified identity provider. Supports email/password, social login, and multi-factor authentication (MFA).
API key authentication
For programmatic access. Keys use the bk_live_ prefix, are generated with 256-bit entropy, and validated via constant-time comparison to prevent timing attacks.
Role-based access control (RBAC)
Access is controlled through a hierarchical role system:
| Role | Capabilities |
|---|---|
| Viewer | Read-only access to shared resources |
| Member | Create and manage own resources |
| Admin | Manage team members and settings |
| Owner | Full control including billing and deletion |
Access is evaluated at multiple levels:
- Organization — Membership and role within the organization.
- Space — Team or lab groupings with inherited permissions.
- Project — Granular access grants for individual projects (read, write, share).
Space administrators inherit access to all projects within their space. Cross-organization sharing uses explicit, auditable access grants.
CSRF protection
All state-changing requests are protected against cross-site request forgery using Origin and Referer header validation.