Security Overview

Security boundaries

• Dashboard auth: Okta + NextAuth session protection
• Convex data layer: server inventory, health history, alerts
• Monitor API: network-exposed operational endpoint

No built-in API authentication

license-monitor currently does not enforce built-in API auth headers in the Rust API handlers. Treat it as an internal service and protect it at network/proxy layers.

Recommended controls

• Keep monitor APIs on private interfaces where possible
• Use firewall rules and allowlists between tiers
• Use HTTPS at dashboard ingress
• Rotate Okta and app secrets regularly
• Centralize logs for incident review

Secret handling

Store secrets in your environment management platform. Do not commit .env values or keys.