Consilium
Back to Documentation

Integrators — Authentication matrix

Parent

Documentation pillar — Integrators

Web (Clerk)

Browser sessions use Clerk; Nest validates with ClerkAuthGuard on protected routes. Web BFF routes under apps/web/src/app/api/** call Nest with server-side credentials.

CLI and automation

Long-lived tokens prefixed consilium_ (stored hashed on User.cliTokenHash). Send as Authorization: Bearer to Nest api/v1 routes that accept CLI auth.

Public vs protected

Marketing routes in Next middleware (middleware.ts) allow only: /, /about, /sign-in, /sign-up, /api/webhooks, /terms, /privacy, /faq. Other marketing paths (e.g. /docs, /pricing) may require sign-in until you extend isPublicRoute — treat as launch checklist item.

Cross-links

  • API — Authentication (legacy flat doc)
  • Engineers — Nest API modules

Do not paste here

Real Bearer tokens, Clerk session strings, or full Authorization headers belong only in password managers or secure env—not in Notion pages, tickets, or chat archives linked from this wiki.