Flux Pass overview: shared auth API for Flux apps

Flux Pass is the API-only authentication service shared across all Flux applications. It handles user registration, login, sessions, OAuth, service entitlements, payments, and more.

Flux Pass is a public-facing API - unlike the Metadata Service, these endpoints are accessible from the internet. All authenticated endpoints require a valid Bearer token in the Authorization header.

Architecture

Flux Pass is built with NestJS and uses the following stack:

Component	Technology
Framework	NestJS
Database	PostgreSQL via Prisma
Rate limiting	Arcjet
Payments	Polar
Monitoring	Sentry
2FA	TOTP via Speakeasy
Email	Custom mail service with queue processing

Authentication

All authenticated endpoints require a Bearer token:

Authorization: Bearer <access_token>

Tokens are JWTs containing userId, email, and sessionId. Access tokens are short-lived; use the refresh token flow to obtain new ones.

Rate limiting

Flux Pass uses Arcjet for rate limiting on sensitive endpoints:

Endpoint	Window	Max requests
Login	60s	30
Register	60s	10
Email verification	60s	5
Resend verification	60s	3
OAuth callbacks	60s	10
Health check	60s	50

API modules

Authentication

OAuth

User

Avatar management, custom domains, and service entitlements.

Connect

Connect and disconnect from Flux services.

Payments

Polar checkout, customer portal, and subscription management.

Admin

User management and platform statistics (admin-only).

Audit

Activity logs and audit trail.

Health

Service health check endpoint.

Flux Pass authentication: register, login, 2FA, tokens

⌘I

​Architecture

​Authentication

​Rate limiting

​API modules

Authentication

OAuth

User

Connect

Payments

Admin

Audit

Health

Architecture

Authentication

Rate limiting

API modules