Projects
A Project represents a specific application or environment within a tenant.
A Project represents a specific application or environment within a tenant. Most tenants have at least two projects: one for development and one for production.
One application or environment = one project.
Why Projects Exist
- Environment separation: Keep development and production auth completely separate with different signing keys, API keys, and CORS origins.
- Multiple applications: A tenant building both a web app and a mobile app can create separate projects.
- Security boundaries: Signing keys are per-project. Rotating a key in development does not affect production.
Properties
| Property | Type | Default | Description |
|---|---|---|---|
id | UUID | Auto-generated | Unique identifier |
tenant_id | UUID | Required | Parent tenant |
name | string (max 255) | Required | Display name |
slug | string (max 63) | Required | URL-safe identifier, unique per tenant |
environment | string | "development" | "development" or "production" |
allowed_origins | string[] | [] | CORS origins allowed for this project |
allowed_redirects | string[] | [] | Redirect URLs allowed after OAuth/auth flows |
settings_json | JSON | {} | Per-project settings |
Child Resources
Signing Keys
JWT signing key pairs (RS256) used to sign access tokens. Each project has exactly one primary signing key at any time. Old keys remain valid for verification until they expire (24 hours after rotation by default).
API Keys
Used by client SDKs to identify which project a request belongs to. Sent via the X-Zautha-Project-Key header. The full API key secret is only shown once at creation time.
SDK Integration
When integrating Zautha, pass the project key to the SDK provider:
import { ZauthaProvider } from '@zautha/react';
function App() {
return (
<ZauthaProvider projectKey="pk_live_xxx">
<YourApp />
</ZauthaProvider>
);
}API Endpoints
| Method | Path | Description |
|---|---|---|
POST | /v1/admin/projects | Create a project |
GET | /v1/admin/projects | List projects (paginated) |
GET | /v1/admin/projects/{project_id} | Get a single project |
PATCH | /v1/admin/projects/{project_id} | Update origins, redirects, settings |
POST | /v1/admin/projects/{project_id}/api-keys | Create an API key |
GET | /v1/admin/projects/{project_id}/api-keys | List API keys |
DELETE | /v1/admin/projects/{project_id}/api-keys/{key_id} | Revoke an API key |
POST | /v1/admin/projects/{project_id}/signing-keys/rotate | Rotate the signing key |
Real-World Example
FinanceApp has strict environment separation:
| Project | Environment | Origins | Use case |
|---|---|---|---|
| FinanceApp Dev | development | http://localhost:3000 | Local development |
| FinanceApp Staging | development | https://staging.financeapp.com | QA testing |
| FinanceApp Production | production | https://app.financeapp.com | Real users |
Each environment has its own API keys, signing keys, and user base.