Authentication

flamel uses flamel.dev as an identity provider. Your server validates tokens offline — flamel.dev never sees your sessions, files, or prompts.

How it works

When you sign in, flamel.dev issues a short-lived RS256 JWT signed with a private key. Your server fetches the JWKS (public keys) once on startup and caches them. Every request is validated locally — no round-trips to flamel.dev during normal operation.

The token contains your user ID and email. That's it. flamel.dev has no visibility into what your server does after validation.

The first account to authenticate against a fresh server automatically becomes the admin. There's no separate admin setup step — whoever registers the server and signs in first owns it.

Inviting teammates

Teammates sign up at flamel.dev/signup and you grant them access via Dashboard → Teams. If your account belongs to a team, all team members can be granted access at once.

Teams

If your flamel.dev account belongs to a team, all team members can be granted access at once via Dashboard → Teams.

Revoking access

Remove a user in Dashboard → Servers → [your server] → Members. Revocation is immediate — their next request will be rejected even if their JWT hasn't expired yet, because flamel checks against its own user table after JWT validation.

JWTs are short-lived (15 minutes). The browser refreshes them transparently using a longer-lived refresh token stored in an httpOnly cookie on the flamel.dev domain. Your server never sees the refresh token.