Builders — auth and safety

Lenses is local-first: most installs bind to loopback. /api/auth/*, admin surfaces, and optional OIDC flows exist for hardened deployments — treat tokens like production secrets (Security and local-first).

Updated

What it is

Lenses is local-first: most installs bind to loopback. /api/auth/*, admin surfaces, and optional OIDC flows exist for hardened deployments — treat tokens like production secrets (Security and local-first).

Practices

  • Prefer GET for health and read-only probes; never publish POST examples with live payloads containing PII.
  • If browser automation hits Lenses, keep same-origin fetches — follow Studio troubleshooting when origins diverge.
  • Wizard assist routes may forward content to LLM gateways — read Wizard operator trust boundaries.

Verify

Your integration docs state where the bearer or session cookie lives and that CI uses synthetic hosts only.

What to do next