Auth and authorization
Clerk protects the application shell, but the Go API verifies every bearer token and authorizes each request against admin, customer, and group-scoped access records.
Security
Security boundaries are part of the product shape.
Message Science keeps marketing public, app routes authenticated, and every API action authorized against server-side customer and group membership.
Credential handling
Mailbox passwords are encrypted at rest and decrypted only for export generation or approved operational flows. Key rotation is designed into the data model.
Signed downloads
Browser downloads use short-lived signed URLs instead of long-lived bearer tokens in links. Successful and failed download attempts are recorded.
Service separation
The static website, authenticated app, and API are separate services and hosts so public content cannot inherit application route behavior.
Operational posture
V1 optimizes for clear custody and auditability.
Provisioning jobs write state, step history, events, and artifacts into the backend so partial failures can be reviewed and retried without losing customer context.
Public route policy
- Marketing pages and docs stay public.
- Authenticated application routes live on `app.messagescience.com`.
- API calls go through `api.messagescience.com/rpc/*` with Clerk session tokens.
- Webhook and download routes stay outside the ConnectRPC mount.