Skip to content
Slicekit

Concepts

Authentication & permissions

Cookie sessions with CSRF, role and permission checks, admin impersonation and the audit trail.

View .md
On this page

Slicekit authenticates browsers with HTTP-only cookie sessions, which keeps tokens out of JavaScript and out of localStorage. Because cookies are sent automatically, every state-changing request is also protected against CSRF with a token the frontend echoes back.

The frontend never handles a raw credential; the typed API client attaches the cookie and the CSRF header for you. See the API client.

Authorization

Authorization is permission-based. Endpoints declare the permission they require, and a check runs before the handler:

app.MapPost("/api-keys", CreateApiKeyEndpoint.Handle)
   .RequirePermission(Allow.UserCreateApiKey);

There are no roles: permissions are granted individually from a single catalog (the Allow class), and API keys carry their own scoped subset. A bulk permissions endpoint lets an admin grant or revoke many at once; the change is audited.

Admin impersonation

Support staff sometimes need to see exactly what a user sees. Slicekit includes short-lived, audited impersonation: an admin with the right permission can start a session as another user. The session is time-boxed, clearly flagged, and every impersonated action is recorded in the audit trail.

Audit trail

Security-relevant actions (sign-in, permission changes, impersonation, sensitive mutations) emit audit events. These flow through the same Serilog → OTLP → Loki pipeline as the rest of the logs, so there is no audit table to maintain and retention lives in Loki rather than the database.

Behind a reverse proxy

In production the API runs behind a reverse proxy, so it is configured to trust forwarded headers for the scheme and client address. That keeps redirects, cookie Secure flags and audited IP addresses correct when TLS terminates at the proxy.

What you configure

  • Roles and their permissions. Seed the set your product needs.
  • Session lifetime and cookie options. Sensible secure defaults are provided.
  • Which actions are audited. Emit an audit event from any handler that warrants one.