botbook/src/12-auth/README.md

Chapter 12: Authentication & Security

User authentication, permission management, and resource protection for botserver.

Overview

botserver provides enterprise-grade security with flexible authentication options, granular permissions, and comprehensive rate limiting to prevent abuse.

Initial Setup

When General Bots starts for the first time, it automatically creates an administrator account and displays the credentials in the console. See Initial Setup & Bootstrap for details.

╔════════════════════════════════════════════════════════════╗
║       🤖 GENERAL BOTS - INITIAL SETUP COMPLETE            ║
╠════════════════════════════════════════════════════════════╣
║  Username:             admin                               ║
║  Email:                admin@localhost                     ║
║  Password:             (displayed in console)              ║
╚════════════════════════════════════════════════════════════╝

Important: Save the password shown in your console during first startup. It will not be displayed again.

Authentication Methods

Method	Use Case
Session Token	Web/API access
OAuth2/OIDC	SSO integration via Zitadel
API Key	Service accounts
Bot Auth	Bot-to-bot communication

Quick Start

' Check if user is authenticated
IF user.authenticated THEN
  TALK "Welcome, " + user.name
ELSE
  TALK "Please log in first"
END IF

Security Features

• Directory Service: Zitadel handles all user identity management
• No Password Storage: Passwords never stored in General Bots
• Session Management: Cryptographic tokens, configurable expiry
• Rate Limiting: Per-user and global limits with HTTP 429 responses
• System Limits: Loop protection, file size limits, resource constraints
• Audit Logging: Track all authentication events
• Organizations: Multi-tenant support with org-based isolation

Permission Levels

Level	Access
admin	Full system access, user management
org_owner	Organization management
bot_owner	Bot configuration and deployment
bot_operator	Bot operation and monitoring
user	Standard access
guest	Read-only, anonymous chat

Organization Structure

Organization (e.g., "Acme Corp")
├── Users (with roles)
├── Bots (owned by org)
│   ├── sales-bot
│   └── support-bot
└── Drive Storage
    ├── acme-sales-bot.gbai/
    └── acme-support-bot.gbai/

Configuration

name,value
auth-session-ttl,3600
auth-max-attempts,5
auth-lockout-duration,900

Chapter Contents

• Initial Setup & Bootstrap - First-time admin setup
• User Authentication - Login flows
• Password Security - Password policies
• API Endpoints - Auth API reference
• Bot Authentication - Service accounts
• Security Features - Protection mechanisms
• Security Policy - Best practices
• Compliance Requirements - GDPR, LGPD, HIPAA
• Permissions Matrix - Access control
• User vs System Context - Execution contexts
• System Limits & Rate Limiting - Resource constraints and abuse prevention

Anonymous Chat Access

Anonymous users can use the chat functionality without logging in. The system automatically creates temporary sessions for anonymous users. Authentication is only required for:

• User management (Settings)
• Bot configuration
• Administrative functions
• Organization management

See Also

• REST API - API authentication
• Configuration - Auth settings