airlock

Appearance

Authentication

Airlock handles authentication at multiple levels: user authentication to the Control Room, and API authentication for connecting to target services.

User Authentication

Users authenticate to the Airlock Control Room using:

  • Email/Password: Standard email and password login
  • Google OAuth: Sign in with Google

Organization Membership

Each user belongs to an organization. Organizations provide:

  • Isolated data (servers, policies, users)
  • Shared billing and quotas
  • Team collaboration

API Authentication

When connecting AI agents to APIs through Airlock, credentials are handled per-user.

OAuth Integrations

For services that support OAuth (like Google Calendar):

  1. Go to your server's detail page
  2. Click the Connect button
  3. Complete the authorization flow in the popup window
  4. Airlock securely stores your OAuth tokens

OAuth tokens are automatically refreshed when they expire.

API Key Integrations

For services that use API keys or bearer tokens:

  1. Admin Setup: Your organization admin configures the API connection details for the server
  2. User Connection: Go to your server's detail page
  3. Enter your API credentials (API key or bearer token)
  4. Click Save

Credential Security

All credentials are encrypted at rest using AES-256-GCM:

  • Encryption happens before storage
  • Keys are managed securely
  • Credentials are decrypted only when making API calls

MCP Connection Authentication

When AI agents connect to Airlock via MCP, they authenticate using MCP OAuth 2.0:

  1. Add the MCP URL to your AI client (Claude Desktop, Augment, etc.)
  2. The client initiates the OAuth flow automatically
  3. You authenticate in your browser
  4. The client receives access tokens and connects

This happens seamlessly when you add a new connector in Claude Desktop.

Best Practices

  1. Use OAuth When Available: OAuth provides better security than static API keys
  2. Rotate Credentials Regularly: Update API tokens periodically
  3. Use Least Privilege: Provide tokens with minimal required permissions
  4. Monitor Usage: Check audit logs for unusual activity
  5. Revoke Unused Access: Remove credentials when no longer needed

Built with VitePress

Copyright 2026-present Airlock