Authentication
Every Cubby app gets built-in authentication via Cubby SSO. You don’t need to implement any auth logic.How It Works
When users access your app:- Request arrives at
https://myapp.username.cubby.pro - Envoy Gateway intercepts and checks for valid session cookie
- If not logged in: User is redirected to
auth.cubby.pro - User authenticates: Magic link or password
- Redirect back: User returns to your app with session
- Headers injected: User info available in your code
Request Headers
Authenticated requests include these headers:Accessing User Info
In API Routes
In Server Components
In Server Actions
User-Scoped Data
Most apps need to scope data by user. Use theuserId from headers:
Owner vs Shared Access
Apps can be shared with other users. Both owners and shared users are authenticated, but they have different permissions:
Your app code receives the same headers for both. If you need to distinguish:
What NOT To Do
Since Cubby handles authentication, you should NOT:- Install auth libraries (NextAuth, Clerk, Auth0, etc.)
- Create user/session tables in your database
- Implement login/logout pages
- Handle password reset flows
- Store passwords or tokens
Login Methods
Users can authenticate via:- Magic link: Email with one-time login link
- Password: Traditional email + password
auth.cubby.pro.
Session Duration
- Inactivity timeout: 7 days without activity
- Absolute timeout: 90 days maximum