Authentication

Airlock handles authentication at multiple levels: user authentication to the Control Room, and API authentication for connecting to target services.

User Authentication

Users authenticate to the Airlock Control Room using:

• Email/Password: Standard email and password login
• Google OAuth: Sign in with Google

Organization Membership

Each user belongs to an organization. Organizations provide:

• Isolated data (servers, policies, users)
• Shared billing and quotas
• Team collaboration

API Authentication

When connecting AI agents to APIs through Airlock, credentials are handled per-user.

Built-in OAuth Integrations

Some integrations (GitHub, Google Calendar, Gmail, Fathom) have pre-configured OAuth credentials managed by Airlock:

1. Go to your server's detail page
2. Click the Connect button
3. Complete the authorization flow in the popup window
4. Airlock securely stores your OAuth tokens

OAuth tokens are automatically refreshed when they expire.

Standard OAuth Integrations

Most pre-built integrations (Notion, Linear, Atlassian, etc.) use standard OAuth with the upstream service. The flow is the same — click Connect and authorize.

API Key Integrations

For services that use API keys or bearer tokens (e.g., Datadog, custom APIs):

1. Go to your server's detail page
2. Enter your API credentials (API key or bearer token)
3. Click Save

Credential Security

All credentials are encrypted at rest using AES-256-GCM:

• Encryption happens before storage
• Keys are managed securely
• Credentials are decrypted only when making API calls

MCP Connection Authentication

When AI agents connect to Airlock via MCP, they authenticate using MCP OAuth 2.0:

1. Add the MCP URL to your AI client (Claude Desktop, Claude Code, Augment, etc.)
2. The client initiates the OAuth flow automatically
3. You authenticate in your browser
4. The client receives access tokens and connects

This happens seamlessly when you add a new connector in Claude Desktop.

Session Persistence

MCP connections stay active without requiring you to re-authenticate:

• Access tokens expire after 8 hours and are refreshed automatically
• Refresh tokens are valid for 30 days
• Your AI client handles token refresh transparently — no action needed on your part

After 30 days, or if you revoke access from the Airlock dashboard, the client will prompt you to re-authenticate.

Token Security

• All tokens are encrypted at rest using AES-256-GCM
• Refresh tokens are stored as cryptographic hashes — even a database breach would not expose usable credentials
• Tokens are bound to your account and the specific client that requested them
• Revoking access from Cognito (e.g., signing out) immediately invalidates all refresh tokens

Best Practices

1. Use OAuth When Available: OAuth provides better security than static API keys
2. Rotate Credentials Regularly: Update API tokens periodically
3. Use Least Privilege: Provide tokens with minimal required permissions
4. Monitor Usage: Check audit logs for unusual activity
5. Revoke Unused Access: Remove credentials when no longer needed