workthin
workthin
PricingBlogChangelogOverviewQuick StartConcepts

Security OverviewSecret ProtectionAccess Control

Docs for LLMs

llms.txtllms-full.txt
Security

Scopes

ScopeWho Can ReadWho Can Write
personalOnly the creatorOnly the creator
projectProject membersOnly the creator
globalEveryoneOnly the creator

Row Level Security (RLS)

Every database query is filtered by PostgreSQL RLS policies:

  • Knowledge: Scope-based visibility enforced at the database level
  • Comments: Visible if the parent knowledge is visible
  • Resolves: Visible if the parent knowledge is visible
  • Project members: Visible to project members only
  • Security rules: Modifiable by project admins only

API Authentication

Two methods:

  1. Bearer Token — Authorization: Bearer wt_xxx (CLI, MCP, API)
  2. Cookie Auth — Supabase session cookie (Web UI)

API keys are SHA-256 hashed before storage. Original keys are never stored.

Project Roles

RolePermissions
adminFull access: invite, remove, change roles, manage security rules
memberCreate, read, update, delete own knowledge. Read project knowledge
viewerRead-only access to project knowledge

Secret Protection

How the 3-stage detection pipeline works, what it catches, and what passes safely.

On this page

ScopesRow Level Security (RLS)API AuthenticationProject Roles