Security Considerations
Service Limits:
- Organizations have service limits based on their tier
- Free tier typically allows 5 services
- Limits can be customized per organization by Platform Owners
- Service creation fails if limit is reached
Access Control:
- Only owners and admins can create/modify services and plans
- Only owners can delete services
- All members can view services and plans
- Organization must be
activefor service operations
Validation:
- Service type must be one of:
web,mobile,desktop,api - Service slug must be unique within the organization
- Plan price must be non-negative
- Currency should be valid ISO 4217 code
OAuth Configuration:
- Redirect URIs should use HTTPS in production
- Scopes should match provider documentation
- Device activation URI is optional for CLI/device flows
- Multiple redirect URIs supported for different environments
Plan Management:
- Plans with active subscriptions cannot be deleted
- Price changes don’t affect existing subscriptions
- Features are informational only (not enforced by the platform)
- Consider business logic implications before modifying plans
Audit Logging:
- Service creation logged with all configuration details
- Service updates and deletions logged
- Plan modifications logged
- Actor and timestamp tracked for all operations
Best Practices:
- Use descriptive service names and slugs
- Configure appropriate OAuth scopes for your use case
- Set up separate services for development and production
- Review subscription counts before deleting plans
- Test OAuth flows after creating/updating services
- Use semantic versioning in service names if versioning services