Authentication Overview
f0 supports optional authentication to protect private documentation. When enabled, users must verify their email address to access content.
Authentication Modes
f0 operates in one of two modes, configured via the AUTH_MODE environment variable:
Public Mode (Default)
env
AUTH_MODE=public
All documentation is accessible without login. Use this for:
- Open source project documentation
- Public API references
- Marketing/product documentation
Private Mode
env
AUTH_MODE=private
All routes require authentication except:
/login— The login page/api/auth/*— Authentication endpoints/_nuxt/*— Framework assets
In private mode, ensure you have configured the allowlist and email settings before deployment.
f0 uses a passwordless, email-based OTP (One-Time Password) flow:
- User enters email — On the login page
- System checks allowlist — Email must be pre-approved
- OTP is generated — 8-digit code, valid for 5 minutes
- Email is sent — Via AWS SES
- User enters code — Max 3 attempts
- JWT is issued — Valid for 72 hours
text
+----------+ +----------+ +----------+
| User |---->| f0 |---->| AWS SES |
| Browser |<----| Server |<----| Email |
+----------+ +----------+ +----------+
| |
| JWT Token |
|<---------------|
Security Features
Email Allowlist
Only pre-approved emails can authenticate. Configure in /private/allowlist.json:
json
{
"emails": [
"[email protected]",
"[email protected]"
],
"domains": [
"@company.com"
]
}
Rate Limiting
To prevent abuse:
- Max 3 OTP requests per 5 minutes per email
- Max 3 verification attempts per OTP
- Failed attempts are logged
Secure Storage
- OTPs are stored in memory with TTL (time-to-live)
- JWTs are signed with a secret key
- No passwords are ever stored
Next Steps
For more details on configuring f0 authentication:
- Review the
.env.examplefile for all available options - Check the
/private/allowlist.jsonfor access control - See the API Reference for authentication endpoints