Extracted from the original wikibot.io design. AWS-specific content archived at [[Archive/AWS_Design/Auth]].

See also: [[Design/VPS_Architecture]], [[Design/Data_Model]].

---

**ATProto OAuth login** — users authenticate via their ATProto identity (Bluesky handle/DID). The platform runs a self-hosted OAuth 2.1 Authorization Server for MCP connections.

Three auth paths, all converging on the same identity resolution and ACL check:

1. **Browser session**: ATProto OAuth → platform issues a session JWT (signed with our RS256 key) → middleware validates JWT on each request → resolves user → checks ACL → sets Otterwiki headers.

The platform middleware is the single authentication boundary. Everything downstream trusts it.

**OAuth 2.1 (Claude.ai)**: Self-hosted AS (authlib-based) provides DCR, PKCE, AS metadata, token endpoint, and JWKS. The MCP endpoint serves `/.well-known/oauth-protected-resource` pointing to the local AS. Per-wiki authorization happens in middleware — the AS identifies the user, middleware checks wiki access. See [[Design/VPS_Architecture]] for implementation details.

**Bearer token (Claude Code / API)**: Each wiki gets a unique MCP bearer token, stored as a bcrypt hash in the platform DB. The user sees the token once (at creation) and can regenerate it from the dashboard. Usage: `claude mcp add --transport http`.

Wiki creator is always owner. Owners can grant viewer/editor access to other registered users.

2. Resolve wiki from request routing

5. Map ACL role to Otterwiki permission headers:

6. Set headers: `x-otterwiki-email`, `x-otterwiki-name`, `x-otterwiki-permissions`

The platform middleware injects a synthetic anonymous user with READ permission for public wikis. Otterwiki config stays identical for all wikis:

The wiki owner (ACL role `owner`) gets `ADMIN` permission → access to `/-/admin/*`.

| Admin section | Disposition | Reason |

**Implementation**: Override admin navigation template to hide disabled sections. Return 404 from disabled routes in middleware (defense in depth).