Skip to main content

Workspace Security

Your Hubify workspace is protected by multiple layers of security — authentication, encryption, network isolation, and access control. This page covers every layer.

Overview

LayerWhat It Protects
Clerk authWeb app login, account access
Workspace JWTDashboard and API access on your subdomain
Terminal authDouble-layer protection for the live terminal
2FA / PasskeysAccount takeover prevention
API tokensProgrammatic access to your workspace
Network isolationCross-workspace access prevention
Vault encryptionCredential and secret storage
Rate limitingAbuse and resource exhaustion prevention
Sensitive file blockingAccidental credential exposure prevention

Authentication Layers

Your workspace uses four authentication layers, each protecting a different access surface.

1. Clerk Auth (Web App)

The primary authentication layer for the Hubify web application at hubify.com:
  • Email + password authentication
  • Email verification required before workspace access
  • JWT tokens issued by Clerk, validated on every protected route
  • Session management with automatic expiration

2. Workspace JWT (Dashboard Access)

When you access yourname.hubify.com, a workspace-specific JWT is validated:
  • Generated with an HMAC secret unique to your workspace
  • Validated by the stats server running on port 4000
  • Scoped to your specific workspace — a token for houston.hubify.com does not grant access to research.hubify.com

3. Terminal Auth (Double-Layer)

The live terminal at yourname.hubify.com/terminal has the strongest authentication because it provides shell access:
  1. nginx JWT validation — the reverse proxy validates your workspace JWT before allowing the request through
  2. ttyd HTTP Basic Auth — even after passing JWT validation, ttyd requires a username and password
Both layers must pass before terminal access is granted. The HTTP Basic Auth credentials are generated on first boot and stored with 600 file permissions (owner read/write only).

4. Two-Factor Authentication

Hubify supports two forms of second-factor authentication:
MethodHow It Works
TOTPTime-based one-time passwords via Google Authenticator, Authy, 1Password, or any TOTP app
WebAuthnPasskeys and hardware security keys (YubiKey, Touch ID, Face ID)
When 2FA is enabled, you are redirected to /verify-2fa after login. You can verify with either a TOTP code, a backup code, or a passkey.
Enable 2FA in Settings > Security. Backup codes are shown once after setup — save them in a secure location.

API Tokens

API tokens provide programmatic access to your workspace without interactive login.

Token Format

hub_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
Tokens follow the format hub_ followed by 32 random alphanumeric characters.

Token Security

PropertyDetails
StorageSHA-256 hashed before storage — plaintext is never persisted
ScopeEach token is scoped to a single workspace
ExpirationOptional expiration date (tokens can be created with no expiry or a specific TTL)
TrackingLast-used timestamp updated on every use
RevocationTokens can be revoked instantly from the dashboard or CLI

Best Practices

  • Create separate tokens for each integration (one for CI/CD, one for your VPS agent, etc.)
  • Set expiration dates on tokens that do not need permanent access
  • Revoke tokens you no longer use
  • Never commit tokens to version control

Workspace Isolation

Every workspace is isolated at every layer of the stack.

Compute Isolation

ComponentIsolation Model
Fly.io machineEach workspace gets its own dedicated machine — no shared compute
6PN networkEach workspace gets an isolated private network (user-{username}-net)
Persistent volume10GB volume at /data is exclusive to the workspace
Process spaceNo shared processes between workspaces

Network Isolation

  • Workspace A cannot access workspace B over the private network, even if they belong to the same user
  • Cross-workspace communication happens exclusively through the Convex intelligence layer (authenticated API calls)
  • All external traffic enters through nginx on port 80 — internal services (OpenClaw on 3000, ttyd on 8080, stats on 4000) are not directly exposed

Secret Management

  • API keys for model providers (Anthropic, OpenAI, etc.) are stored as Fly secrets and injected as environment variables at boot
  • Secrets are never written to disk on the workspace machine
  • The workspace password (for terminal auth) is generated on first boot and stored with 600 permissions

Vault Security

The tool vault stores encrypted credentials that your agents use to access external services.
PropertyDetails
EncryptionAES-256 encryption for all credential entries
Per-service entriesEach service (GitHub, Anthropic, Slack, etc.) has its own vault entry
Agent access controlEach entry has a list of agent IDs that are granted access
Access loggingEvery vault access is logged with agent ID, timestamp, and operation type
Shared or isolatedConfigurable per workspace — vault can be shared across your workspaces or isolated

Vault Configuration in HUB.yaml

vault:
  id: "vault_abc123"

privacy:
  vault_shared_across_workspaces: true    # share vault with your other workspaces
  # or
  vault_shared_across_workspaces: false   # isolated vault for this workspace only

Vault Access Flow

1

Agent requests credential

An agent calls the vault API with its agent ID and the service it needs access to.
2

Access control check

The vault checks whether the requesting agent ID is in the granted_agents list for that entry.
3

Credential returned

If authorized, the encrypted credential is decrypted and returned as a short-lived scoped token. The raw credential is never exposed directly.
4

Access logged

The access event is recorded: agent ID, timestamp, service accessed, and operation type.

Rate Limiting

Rate limits prevent abuse and protect workspace resources.
ScopeLimit
IP-based10 requests per minute per IP address
Workspace provisioning (per user)1 provision per hour
Workspace provisioning (per user, daily)3 provisions per 24 hours
Rate-limited requests receive a 429 Too Many Requests response with a Retry-After header.

Sensitive File Blocking

The nginx reverse proxy and middleware block access to files that could expose secrets:
Blocked PathStatus Code
*.env403 Forbidden
openclaw.json403 Forbidden
.vault.enc403 Forbidden
*.key403 Forbidden
These blocks apply to all access methods — web dashboard, API, and terminal file serving. Attempting to access these files through any route returns a 403 Forbidden response.

Best Practices

Enable 2FA

Turn on TOTP or passkey authentication in Settings > Security. This is the single most effective step to protect your account.

Use Scoped API Tokens

Create separate tokens for each integration with appropriate expiration dates. Never use a single token for everything.

Review Vault Access Logs

Periodically check which agents are accessing which credentials. Revoke access for agents that no longer need it.

Keep Secrets in Fly Secrets

Never write API keys to files on disk. Use Fly secrets for model provider keys and the vault for service credentials.

Security Architecture Diagram

Internet
    |
    v
  Caddy (wildcard SSL, SNI routing)
    |
    v
  nginx (port 80)
    |-- JWT validation
    |-- Sensitive file blocking (.env, openclaw.json)
    |-- Rate limiting
    |
    +-- /            --> Next.js Dashboard
    +-- /terminal    --> JWT check --> ttyd (HTTP Basic Auth)
    +-- /api/*       --> OpenClaw Gateway (port 3000)
    +-- /health      --> Stats Server (port 4000)

  Fly.io Machine
    |-- Isolated 6PN network (user-{username}-net)
    |-- Persistent volume (/data, 10GB)
    |-- Fly secrets (env vars, never on disk)
    |-- Workspace password (600 permissions)

Next Steps

Cloud Workspace

Full workspace architecture

Subdomains

How subdomain routing and SSL work

Tool Vault

Vault credential management

2FA Setup

Enable two-factor authentication