Service Security and Operations

Access, validation, OAuth, plan lifecycle, audit, and production-operation guidance for services.

AuthOS release 0.8.2 API v1 Latest-only documentation
Updated Jul 15, 2026

Security Considerations

Service Limits:

  • Organizations have service limits based on their tier
  • Free tier typically allows 5 services
  • Limits can be customized per organization by Platform Owners
  • Service creation fails if limit is reached

Access Control:

  • Only owners and admins can create/modify services and plans
  • Only owners can delete services
  • All members can view services and plans
  • Organization must be active for service operations

Validation:

  • Service type must be one of: web, mobile, desktop, api
  • Service slug must be unique within the organization
  • Plan price must be non-negative
  • Currency should be valid ISO 4217 code

OAuth Configuration:

  • Redirect URIs should use HTTPS in production
  • Scopes should match provider documentation
  • Device activation URI is optional for CLI/device flows
  • Multiple redirect URIs supported for different environments

Plan Management:

  • Plans with active subscriptions cannot be deleted
  • Price changes don’t affect existing subscriptions
  • Features are informational only (not enforced by the platform)
  • Consider business logic implications before modifying plans

Audit Logging:

  • Service creation logged with all configuration details
  • Service updates and deletions logged
  • Plan modifications logged
  • Actor and timestamp tracked for all operations

Best Practices:

  • Use descriptive service names and slugs
  • Configure appropriate OAuth scopes for your use case
  • Set up separate services for development and production
  • Review subscription counts before deleting plans
  • Test OAuth flows after creating/updating services
  • Use semantic versioning in service names if versioning services