Skip to Content
Upblit
AboutOpen SourceCommunityDeveloperContactPricing
Star on GitHub—Sign in
CTRL K
  • Introduction
    • AI Gateway Overview
    • Documents
    • Tenants
    • API Reference Overview
    • AI Gateway API
    • API Keys API
    • Applications API
    • Authentication
    • Ingest API (SDK)
    • Organizations API
    • Projects API
    • Telemetry API
    • Users API
    • Architecture Overview
    • Database Architecture
    • Multi-Tenancy
    • Security Model
    • Service Boundaries
    • Telemetry Pipeline
  • DeployX CLI
    • Contributing
    • Architecture Rules
    • Coding Guidelines
    • SDK Development
    • Dashboard Overview
    • AI Gateway
    • API Keys
    • Applications
    • Observability
    • Organizations
    • Profile
    • Projects
    • Quickstart
    • Authentication
    • Your First Project
    • Installation
    • Observability Overview
    • Structured Logs
    • Telemetry Flow
    • Distributed Traces
    • SDK Overview
    • Express SDK
    • Go SDK
    • Java SDK (Coming Soon)
    • Python SDK
    • React SDK (Coming Soon)
  • Introduction
    • AI Gateway Overview
    • Documents
    • Tenants
    • API Reference Overview
    • AI Gateway API
    • API Keys API
    • Applications API
    • Authentication
    • Ingest API (SDK)
    • Organizations API
    • Projects API
    • Telemetry API
    • Users API
    • Architecture Overview
    • Database Architecture
    • Multi-Tenancy
    • Security Model
    • Service Boundaries
    • Telemetry Pipeline
  • DeployX CLI
    • Contributing
    • Architecture Rules
    • Coding Guidelines
    • SDK Development
    • Dashboard Overview
    • AI Gateway
    • API Keys
    • Applications
    • Observability
    • Organizations
    • Profile
    • Projects
    • Quickstart
    • Authentication
    • Your First Project
    • Installation
    • Observability Overview
    • Structured Logs
    • Telemetry Flow
    • Distributed Traces
    • SDK Overview
    • Express SDK
    • Go SDK
    • Java SDK (Coming Soon)
    • Python SDK
    • React SDK (Coming Soon)

On This Page

  • Authentication
  • Flow
  • Components
  • API Key Authentication
  • Authorization
  • Secrets Management
  • Transport Security
  • Known Security Gaps
ArchitectureSecurity Model

Security Model

Authentication

Upblit uses GitHub OAuth 2.0 as the sole authentication provider. There are no username/password accounts.

Flow

Browser → GET /oauth2/authorization/github
       → GitHub login + authorization
       → Backend callback: CustomOAuth2UserService
           creates/updates User in PostgreSQL
       → OAuth2SuccessHandler issues JWT + refresh token
       → Frontend stores JWT in localStorage["token"]
       → All API calls: Authorization: Bearer {jwt}

Components

ComponentFileResponsibility
SecurityConfigsecurity/SecurityConfig.javaSpring Security filter chain, CORS, permit rules
JWTAuthenticationFiltersecurity/JWT/JWTAuthenticationFilter.javaValidates JWT on every request
JWTServicesecurity/JWT/JWTService.javaIssues and validates JWT tokens
CustomOAuth2UserServicesecurity/OAuth/CustomOAuth2UserService.javaCreates/updates User after GitHub OAuth
OAuth2SuccessHandlersecurity/OAuth/OAuth2SuccessHandler.javaIssues JWT after successful OAuth
RefreshServicesecurity/RefreshToken/RefreshService.javaManages refresh token lifecycle

API Key Authentication

SDK ingest endpoints use API keys instead of JWT.

  • Keys are generated per application via POST /apikey?ApplicationId={id}
  • Keys are validated against the ApiClient table in PostgreSQL
  • The backend resolves applicationId and projectId from the key on every ingest request
  • Keys are scoped to one application — they cannot be reused across applications

Authorization

All resource endpoints verify that the authenticated user has access to the requested resource before returning data. The ProjectAccessService handles project-level access checks for telemetry queries.

Secrets Management

All secrets are injected via environment variables — never hardcoded in source:

SecretEnvironment Variable
JWT signing keyJWT_SECRET (min 256-bit)
GitHub OAuth client secretGITHUB_CLIENT_SECRET
PostgreSQL passwordPOSTGRES_PASSWORD
MongoDB URI (contains credentials)MONGODB_URI
Supabase service role keySUPABASE_API_KEY
Email service secretEMAIL_SECRET

The Upblit/backend/.env file is gitignored and must never be committed.

Transport Security

  • All production traffic must use HTTPS
  • CORS is configured to allow only the FRONTEND_URI origin
  • The backend sets appropriate security headers in production

Known Security Gaps

GapRiskPriority
No explicit RBAC roles (admin/member)Any org member can perform admin actionsCritical
API key storage format unverifiedIf stored in plaintext, a DB breach exposes all keysHigh
No rate limiting on ingest endpointsStorage abuse possibleHigh
No rate limiting on auth endpointsBrute-force possibleHigh
Client-side file validation onlyMalicious files could bypass size/type limitsMedium
Last updated on May 27, 2026
Multi-TenancyService Boundaries
Upblit

A student-built observability workbench for logs, traces, metrics, API keys, and AI-assisted incident notes.

OAuthAPI scopesTrace contextRetention notes

Product

  • Architecture
  • Dashboard preview
  • AI docs
  • Security
  • Pricing

Developers

  • Developer docs
  • API reference
  • Changelog
  • GitHub
  • Status

Company

  • Support
  • Contact
  • Docs
  • Dashboard
  • Sign in

Legal

  • Privacy Policy
  • Terms
  • Cookie Policy
  • Acceptable Use
  • Data Retention
  • Data Processing

Copyright 2026 Upblit. All rights reserved.

Built for telemetry review, API operations, and incident response.