Beacon Platform Docs

Security Model

2 min read

This page documents the current auth and exposure model in code.

Current Security Posture

  • Public Pulse routes are open.
  • Public and ingest admin routes enforce an auth check in code.
  • /pulse/daily.json is publicly reachable in the current checked-in config.
  • Application-level rate limiting is not implemented in the reviewed code.

Admin Auth Implementation

Public worker

For /admin* requests:

  • if ADMIN_TOKEN is set, the request must send a matching x-admin-token or authorization header
  • otherwise the worker accepts cf-access-jwt-assertion

Ingest worker

For ingest admin routes:

  • if ADMIN_TOKEN or ADMIN_SECRET is set, the request must send a matching x-admin-token or authorization header
  • otherwise the worker accepts cf-access-jwt-assertion

Sensitive Route Groups

Public worker admin routes

  • /admin
  • /admin/communities
  • /admin/sources
  • /admin/exports/assign-source

Ingest worker admin routes

  • upload routes
  • file and export routes
  • media routes
  • clear and delete-community routes
  • replay and regeneration routes
  • quota and pipeline routes
  • backfill routes

Public Exposure

Routes intended to be public today include:

  • /pulse
  • /pulse.json
  • /pulse/history.json
  • /pulse/daily.json
  • /pulse/trends.json
  • /pulse/concepts
  • /pulse/concepts.json
  • /pulse/embed
  • /pulse/communities.json
  • /pulse/sources.json
  • /docs/*

The most important caveat is that /pulse/daily.json is public today because PUBLIC_DAILY_DIGESTS=true is checked into the public worker config.

The code-level checks help, but they are not the whole story.

  • protect /admin* and ingest routes with Cloudflare Access or equivalent edge auth
  • use WAF or rate limiting for upload and admin endpoints
  • monitor retry storms and repeated failed admin access

Remaining Gaps

  • No application-level rate limit is implemented in the reviewed code.
  • Legal/privacy process items such as controller contact and DSAR workflow are outside this page and still need human confirmation.
  • If daily summaries should not be public, deployment config must change.

Verified against beacon-platform/apps/pulse-public/src/index.ts, apps/pulse-ingest/src/index.ts, and the current deployed /admin behavior on April 22, 2026.

Graph View

Backlinks