Authentication

How Spindle handles sign-in, sessions, and API access.

Spindle is built around secure session-based access for the dashboard and API key-based access for programmatic usage.

Sign-In Options

Users can authenticate with email-based sign-in flows such as OTP and magic links.

• Passwordless UX: Sign in without managing passwords.
• Email Delivery: Verification and sign-in links are delivered by email.
• Secure Sessions: Successful sign-in creates an HTTP-only session cookie for dashboard access.

Dashboard Sessions

When signed in through the web app, requests are authenticated with a secure cookie.

• Cookies are HTTP-only and not exposed to browser JavaScript.
• Sessions persist across dashboard requests until expiry or logout.
• Most authenticated dashboard actions use the existing browser session automatically.

API Access

Programmatic access should use API keys instead of browser sessions.

• Generate keys in Settings → API Keys.
• Pass the key using Authorization: Bearer ... or x-api-key.
• Include x-team-id for team-scoped requests.

Production Cookie Setup

If you host the dashboard and API on separate subdomains, configure them beneath the same parent domain so session cookies work correctly.

Example:

• Dashboard: app.yourdomain.com
• API: api.yourdomain.com
• Cookie domain: .yourdomain.com

Recommended Usage Model

• Use the dashboard for account, billing, team, and key management.
• Use API keys for integrations, automation, pipelines, and server-to-server requests.

Next Steps

• Learn how workspaces and permissions are isolated in Multitenancy & RBAC.
• Generate your first key in API Key Configuration.
• Review request auth details in the API Reference.