← back to blog

How MonoRouter Keeps Your Account Secure: Auth, Recovery, and Session Management

A look inside MonoRouter's authentication system — from password hashing and recovery codes to Google OAuth and automatic session invalidation.

Security for a service that proxies your AI requests isn't optional — it's the foundation. Here's how MonoRouter's authentication system works and why we made the choices we did.

Layered Authentication

MonoRouter supports multiple ways to sign in, each suited to different users:

Email + password — The default. Passwords must be at least 12 characters and are hashed with argon2id using OWASP-recommended parameters. We never store plaintext passwords.

# What we store (simplified)
import argon2

hasher = argon2.PasswordHasher(
    time_cost=2,        # iterations
    memory_cost=19456,  # 19 MiB
    parallelism=1,
)
password_hash = hasher.hash(user_password)
# → "$argon2id$v=19$m=19456,t=2,p=1$..."

Google OAuth — One-click sign-in through your Google account. If the email matches an existing account, we link them automatically. New Google users get an account created with no password required.

Recovery codes — Six single-use codes generated at signup. Each code is independently hashed with bcrypt and stored. When you use a code, its hash is removed — it can never be used again.

Password Reset

Forgot your password? MonoRouter supports email-based password reset. Enter your email, receive a reset link, and set a new password. The link expires in 15 minutes and can only be used once.

For legacy accounts without email addresses, recovery codes remain the fallback. This ensures every user has a path back into their account.

Session Management

MonoRouter uses JWT tokens (HS256) with a 7-day expiry stored in HTTP-only cookies. But a valid JWT isn't enough — every request also checks the user's tokenVersion against the database.

Request → Validate JWT signature → Check tokenVersion → Allow/Deny

This means we can instantly invalidate all of a user's sessions by incrementing their tokenVersion. We do this automatically when:

  • A password is reset (via email link or recovery code)
  • A user explicitly logs out of all sessions
  • An admin revokes a user's access

Even if someone has a stolen JWT with days left before expiry, bumping the token version makes it useless immediately.

API Key Security

Your MonoRouter API key is separate from your account password. It authenticates SDK and tool requests against the proxy, not the web dashboard.

# Your API key goes where the Anthropic key normally would
export ANTHROPIC_API_KEY="mr_live_abc123"
export ANTHROPIC_BASE_URL="https://api.monorouter.dev/v1"

API keys can be rotated from the dashboard without changing your password. Rotating a key immediately invalidates the old one — there's no grace period.

What We Don't Store

DataStored?Purpose
Prompt contentNo
Response contentNo
Passwords (hashed)YesAuthentication
Recovery codes (hashed)YesAccount recovery
Model nameYesUsage analytics
Token countsYesQuota tracking
Request timestampsYesRate limiting

Your prompts and Claude's responses pass through MonoRouter but are never logged, cached, or stored. We keep only the metadata needed for rate limiting and usage tracking.

Rate Limiting on Auth Endpoints

All authentication endpoints are rate-limited per email and per IP address to prevent brute-force attacks:

  • Login: 10 attempts per hour per email
  • Password reset: 3 requests per hour per email
  • Recovery codes: 3 attempts per hour per email

Failed attempts against nonexistent accounts take the same time as real attempts (constant-time comparison), so attackers can't use timing differences to enumerate valid emails.

The Philosophy

We designed MonoRouter's auth with a simple principle: defense in depth. No single layer is the whole story. Passwords are strong but can be phished. OAuth is convenient but depends on Google. Recovery codes are offline but can be lost. Email reset is familiar but depends on email security.

By offering all of these and letting users choose what fits their workflow, we make the secure path the easy path.