Skip to main content
Backdrift provides a fully managed authentication system out of the box. No OAuth configuration, no JWT libraries, no security vulnerabilities.

What You Get

User Signup

Self-service registration with email verification

Secure Login

Password authentication with brute-force protection

Password Reset

Secure password recovery via email

JWT Tokens

Access and refresh tokens with configurable expiry

Roles & Permissions

Define roles in your prompt, and Backdrift enforces them at the API level: 
"Organization admins can invite members and delete projects.
Members can create tasks but not delete projects.
Viewers can only read data."
This generates:
RolePermissions
adminFull CRUD on all entities
memberCreate/Read/Update tasks, Read projects
viewerRead-only access

Authorization Levels

Every endpoint has an authorization level:
LevelDescription
publicNo authentication required
authenticatedAny logged-in user
adminUsers with admin role
ownerOnly the resource owner

Example

GET /v1/tasks         → authenticated (any user)
POST /v1/tasks        → authenticated (any user)
DELETE /v1/tasks/:id  → owner (only creator can delete)
DELETE /v1/projects   → admin (only admins)

Multi-Tenancy

For SaaS applications, Backdrift automatically isolates data by tenant: 
"Each organization should have isolated data."
This configures:
  • Organization Entity - Tenant boundary
  • Auto-Filtering - All queries filtered by org_id
  • JWT Claims - Tenant ID embedded in tokens

How It Works

  1. User signs up and creates an organization
  2. User’s JWT includes org_id claim
  3. Every API request is filtered by org_id
  4. User in Org A cannot access data from Org B
# This happens automatically in every Lambda handler:
def list_tasks(event):
    org_id = get_org_id_from_token(event)
    return db.query(
        table="tasks",
        filter={"org_id": org_id}  # Auto-injected
    )

Password Policies

Backdrift enforces secure password policies:
  • Minimum 8 characters
  • Requires uppercase letter
  • Requires lowercase letter
  • Requires number
  • Requires special character (optional)

Token Configuration

Token TypeDefault ExpiryConfigurable
Access Token1 hourYes
Refresh Token30 daysYes
ID Token1 hourYes

Using Authentication

Sign Up

curl -X POST https://your-api.amazonaws.com/auth/signup \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@example.com",
    "password": "SecurePass123!"
  }'

Login

curl -X POST https://your-api.amazonaws.com/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@example.com",
    "password": "SecurePass123!"
  }'
Response: 
{
  "accessToken": "eyJhbGciOiJIUzI1NiIs...",
  "refreshToken": "eyJhbGciOiJIUzI1NiIs...",
  "expiresIn": 3600
}

Make Authenticated Requests

curl https://your-api.amazonaws.com/v1/tasks \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."

Coming Soon

  • Social login (Google, GitHub, Apple)
  • SAML/OIDC federation
  • Multi-factor authentication (MFA)
  • API keys for machine-to-machine auth

Data Modeling

Learn how to define entities and relationships.