b52318eeae
- Add intelligent-router.sh hook for automatic agent routing - Add AUTO-TRIGGER-SUMMARY.md documentation - Add FINAL-INTEGRATION-SUMMARY.md documentation - Complete Prometheus integration (6 commands + 4 tools) - Complete Dexto integration (12 commands + 5 tools) - Enhanced Ralph with access to all agents - Fix /clawd command (removed disable-model-invocation) - Update hooks.json to v5 with intelligent routing - 291 total skills now available - All 21 commands with automatic routing 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
5.8 KiB
Dexto Server Security
🔒 Authentication Overview
The Dexto server implements API key authentication to protect against unauthorized access.
Configuration
Environment Variables
# Required for production security
DEXTO_SERVER_API_KEY=your-secret-api-key-here
# Optional: Enable production mode (requires API key)
NODE_ENV=production
# Optional: Explicitly require auth even in development
DEXTO_SERVER_REQUIRE_AUTH=true
Security Modes
| Mode | Environment | Auth Required | Notes |
|---|---|---|---|
| Development (default) | No env vars | ❌ No | Default mode - safe for local dev |
| Production | NODE_ENV=production + DEXTO_SERVER_API_KEY |
✅ Yes | Requires API key authentication |
| Explicit Auth | DEXTO_SERVER_REQUIRE_AUTH=true + DEXTO_SERVER_API_KEY |
✅ Yes | Force auth in any environment |
Usage
Client Authentication
HTTP Requests:
curl -H "Authorization: Bearer your-api-key" \
http://localhost:3000/api/llm/current
JavaScript Fetch:
fetch('http://localhost:3000/api/message', {
method: 'POST',
headers: {
'Authorization': 'Bearer your-api-key',
'Content-Type': 'application/json'
},
body: JSON.stringify({ message: 'Hello' })
});
Public Routes (No Auth Required)
These routes are always accessible:
GET /health- Health checkGET /.well-known/agent-card.json- A2A agent discoveryGET /openapi.json- API documentation
Security Best Practices
✅ DO:
-
Set DEXTO_SERVER_API_KEY in production
export DEXTO_SERVER_API_KEY=$(openssl rand -base64 32) -
Use HTTPS in production
- Deploy behind reverse proxy (nginx, Caddy, Cloudflare)
- Never send API keys over unencrypted HTTP
-
Rotate API keys regularly
# Generate new key NEW_KEY=$(openssl rand -base64 32) # Update environment variable export DEXTO_SERVER_API_KEY=$NEW_KEY # Restart server -
Use environment-specific keys
- Different keys for dev/staging/production
- Never commit keys to version control
-
Monitor unauthorized access attempts
- Check logs for "Unauthorized API access attempt" warnings
- Set up alerts for repeated failures
❌ DON'T:
-
Don't use weak or guessable API keys
- ❌
DEXTO_SERVER_API_KEY=password123 - ❌
DEXTO_SERVER_API_KEY=dexto - ✅
DEXTO_SERVER_API_KEY=$(openssl rand -base64 32)
- ❌
-
Don't expose API keys in client-side code
// ❌ NEVER DO THIS const apiKey = 'sk-abc123...'; fetch('/api/message', { headers: { 'Authorization': `Bearer ${apiKey}` }}); -
Don't set DEXTO_SERVER_REQUIRE_AUTH=false in production
- Only use for testing on isolated networks
-
Don't share API keys across environments
- Each environment should have its own key
Development Workflow
Local Development (No Auth)
# Start server in development mode
NODE_ENV=development npm start
# Access from browser without auth
curl http://localhost:3000/api/llm/current
Production Deployment
# Generate secure API key
export DEXTO_SERVER_API_KEY=$(openssl rand -base64 32)
# Start server in production mode
NODE_ENV=production npm start
# All requests now require authentication
curl -H "Authorization: Bearer $DEXTO_SERVER_API_KEY" \
https://api.example.com/api/llm/current
Threat Model
Protected Against:
- ✅ Unauthorized API access
- ✅ Unauthorized message sending
- ✅ Unauthorized configuration changes
- ✅ Unauthorized session/memory access
- ✅ Brute force attacks (when combined with rate limiting)
Not Protected Against (Additional Measures Needed):
- ⚠️ DDoS attacks → Add rate limiting middleware
- ⚠️ API key leakage → Use secrets management (Vault, AWS Secrets Manager)
- ⚠️ Man-in-the-middle → Use HTTPS/TLS
- ⚠️ Insider threats → Implement audit logging
Additional Security Layers (Recommended)
1. Rate Limiting
import { rateLimiter } from 'hono-rate-limiter';
app.use('*', rateLimiter({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // limit each IP to 100 requests per windowMs
}));
2. IP Whitelisting
# Add to your reverse proxy (nginx example)
location /api {
allow 10.0.0.0/8;
deny all;
proxy_pass http://localhost:3000;
}
3. Network Isolation
- Deploy API server on private network
- Use VPN or private networking for access
- Firewall rules to restrict incoming connections
Logging and Monitoring
The server logs authentication events:
# Successful auth (debug level)
Authorization successful for /api/llm/current
# Failed auth (warning level)
⚠️ Unauthorized API access attempt
path: /api/message
hasKey: false
origin: https://malicious.com
userAgent: curl/7.81.0
Set up monitoring for:
- Repeated 401 responses
- Unusual access patterns
- Requests from unexpected IPs/origins
FAQ
Q: Can I use the API without authentication in development?
A: Yes, set NODE_ENV=development and access from localhost.
Q: How do I generate a secure API key?
A: Use openssl rand -base64 32 or a password manager.
Q: Can I use multiple API keys? A: Currently no. For multi-tenant scenarios, implement token-based auth with JWT.
Q: What if my API key is compromised? A: Generate a new key immediately and update all clients.
Q: Does SSE need authentication too?
A: Yes, pass Authorization: Bearer <key> header when connecting to the event stream.
Q: Can I disable auth for specific routes?
A: Public routes (/health, /.well-known/agent-card.json) are always accessible. To add more, modify PUBLIC_ROUTES in middleware/auth.ts.
Contact
For security concerns or to report vulnerabilities, contact: security@dexto.dev