Security

Shardlyn provides multiple layers of security for your account and infrastructure. This guide covers authentication, MFA, SSH certificates, API tokens, and access control.

Authentication Methods

Email & Password

The default authentication method. Passwords are hashed with bcrypt.

1. Register at shardlyn.com with your email
2. Set a strong password (minimum 8 characters)
3. Enable MFA for additional security (recommended)

GitHub OAuth

Sign in with your GitHub account:

1. Click Sign in with GitHub on the login page
2. Authorize Shardlyn to access your email address
3. Your account is linked to your GitHub identity

GitHub OAuth can be used alongside email/password login.

Multi-Factor Authentication (MFA)

MFA adds a second layer of security using time-based one-time passwords (TOTP).

Enabling MFA

1. Go to Settings > Security
2. Click Enable MFA
3. Scan the QR code with your authenticator app (Google Authenticator, Authy, 1Password, etc.)
4. Enter the 6-digit code to confirm enrollment

Using MFA

After enabling MFA, you'll be prompted for a 6-digit code on every login. Codes rotate every 30 seconds.

Rate Limiting

MFA verification is rate-limited to 5 attempts per minute to prevent brute-force attacks. If you exceed this limit, wait 60 seconds before trying again.

Disabling MFA

1. Go to Settings > Security
2. Click Disable MFA
3. Enter your current MFA code to confirm

SSH Certificate Authority

Shardlyn includes a built-in SSH Certificate Authority (CA) that issues short-lived certificates for server access. This eliminates the need to manage SSH keys on individual servers.

How It Works

1. Shardlyn maintains a CA key pair
2. When you request SSH access, Shardlyn signs your public key with the CA
3. The signed certificate is valid for a limited time (configurable)
4. Your provisioned nodes trust the CA automatically

Requesting an SSH Certificate

From the Dashboard

1. Navigate to a node's detail page
2. Click SSH Access
3. Your browser downloads a signed certificate
4. Use it to connect: ssh -i certificate user@server

From the API

# Get the CA public key (configure on your servers)
curl https://api.shardlyn.com/v1/ssh/ca-public-key \
  -H "Authorization: Bearer $TOKEN"

# Request a signed certificate
curl -X POST https://api.shardlyn.com/v1/ssh/certificate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "public_key": "ssh-ed25519 AAAA...",
    "principals": ["root", "shardlyn"],
    "validity_hours": 8,
    "node_id": "node-uuid"
  }'

The response includes:

• certificate: The signed SSH certificate
• serial_number: Unique serial for auditing
• valid_after / valid_before: Certificate validity window
• principals: Allowed usernames

Configuring Your Own Servers

For manually registered nodes, configure the server to trust Shardlyn's CA:

# Download the CA public key
curl -o /etc/ssh/shardlyn_ca.pub https://api.shardlyn.com/v1/ssh/ca-public-key

# Add to sshd_config
echo "TrustedUserCAKeys /etc/ssh/shardlyn_ca.pub" >> /etc/ssh/sshd_config
systemctl restart sshd

TIP

Provisioned nodes are automatically configured to trust the CA — no manual setup needed.

API Tokens

API tokens provide programmatic access to the Shardlyn API. Use them for CI/CD integrations, scripts, and automation.

Creating an API Token

1. Go to Settings > API Tokens
2. Click Create Token
3. Enter a descriptive name (e.g., "GitHub Actions CI")
4. Optionally set an expiration time
5. Copy the token — it's only shown once

Tokens are prefixed with shardlyn_api_ for easy identification.

Using API Tokens

Include the token in the Authorization header:

curl https://api.shardlyn.com/v1/instances \
  -H "Authorization: Bearer shardlyn_api_..."

Managing Tokens

• View all tokens in Settings > API Tokens
• See last used time for each token
• Delete tokens that are no longer needed

Best Practices

• Name tokens descriptively — know what each token is used for
• Set expiration dates — avoid long-lived tokens when possible
• Use minimal scope — one token per integration
• Rotate regularly — delete old tokens and create new ones
• Never commit tokens — use environment variables or secret managers

Role-Based Access Control (RBAC)

Shardlyn uses RBAC to control what users can do within an organization. See the Organizations Guide for details on roles and permissions.

Role	Capabilities
Owner	Full access, billing, member management
Admin	Manage nodes, workloads, instances, provisioning
User	Manage own workloads and instances, read-only for nodes

Audit Logging

All security-relevant actions are recorded in the audit log:

• Login attempts (successful and failed)
• MFA enrollment and changes
• API token creation and deletion
• SSH certificate issuance
• Provisioning operations
• User and permission changes

View audit logs in Settings > Audit Log. Retention depends on your plan (3 days for Free, 30 days for Pro, 1 year for Enterprise).

Security Checklist

• [ ] Enable MFA on all admin accounts
• [ ] Use SSH CA instead of static SSH keys
• [ ] Set expiration dates on API tokens
• [ ] Review audit logs regularly
• [ ] Rotate cloud provider credentials periodically
• [ ] Use the principle of least privilege for user roles

Next Steps

• Organizations — Team management, roles, and permissions
• Connecting Nodes — Register servers and configure agent access
• API Reference — Authentication and token endpoints