Intry

Authentication

WorkOS SSO, Unkey API keys, and resident auth on Intry.

Overview

Intry uses different auth mechanisms depending on which surface you call.

Admin API (/api/admin/*)

WorkOS (interactive)

Operators sign in through the admin dashboard. The SPA obtains a session from WorkOS; subsequent API calls include the session cookie or bearer material issued by that flow. Implementation details live in src/routes/admin/auth.ts and src/middleware/workosAuth.ts.

Unkey (machine clients)

Automations, MCP servers, and CI jobs should use Unkey-issued API keys:

Authorization: Bearer <unkey_api_key>

Keys can carry scopes and rate limits. Rotate keys from /api/admin/api-keys (or Unkey dashboard) when staff changes roles.

See docs/AGENT_UNKEY_KEYS.md in the repo for agent-specific key tiers.

Core API (mobile / resident)

Registration & login

/registration/* handles resident signup and login (bcrypt-hashed passwords on User, JWTs for subsequent calls). Exact payloads mirror the mobile client contracts.

Device registration

/devices/* associates FCM/APNs tokens with a Device row. Always send the authenticated user context expected by the route handler.

Twilio webhooks

/twilio/* endpoints validate Twilio request signatures using your Twilio auth token. Never expose those URLs without signature verification.

Practical checklist

  • TLS enabled end-to-end in production
  • X-Admin-Env set correctly when using the admin proxy
  • Unkey keys scoped to least privilege
  • Secrets stored in Railway/Fly dashboards, not committed to git

API overview

Admin API vs Core routes, auth, environments, and response shapes.

Tenants & organizations

Admin CRUD for tenants — the B2B org boundary in Intry.

On this page

OverviewAdmin API (/api/admin/*)WorkOS (interactive)Unkey (machine clients)Core API (mobile / resident)Registration & loginDevice registrationTwilio webhooksPractical checklist