Skip to main content
Internal Documentation Only: If you’re not a Null Tools developer, you can close this documentation or visit the Apps section to learn more about using Null Pass in your applications.

Overview

Null Pass is an internal authentication and service management API that provides secure user authentication, two-factor authentication, session management, and service entitlements for DROP, MAILS, VAULT, and DB services. This documentation covers the internal architecture, API endpoints, database schema, security features, and operational procedures.

Quick Start

Get up and running with Null Pass in minutes. Learn how to authenticate users and integrate our API.

Authentication

Understand how authentication works, including JWT tokens, 2FA, and session management.

API Reference

Complete API reference with examples for all endpoints and request/response formats.

Services

Learn about service entitlements and how to manage access to DROP, MAILS, VAULT, and DB services.

System Architecture

Technology Stack:
  • JWT tokens with configurable expiration (default: 7 days)
  • bcrypt password hashing (10 rounds)
  • TOTP-based 2FA using speakeasy
  • Session management with encrypted IP storage
Key Components:
  • Token generation and verification (lib/auth.ts)
  • Session expiration handling (lib/session.ts)
  • IP encryption/decryption (lib/ip-utils.ts)
Supported Services:
  • DROP: File storage and sharing service
  • MAILS: Email management service
  • VAULT: Secure credential storage
  • DB: Database service access
Entitlement System:
  • User-service entitlements stored in UserServiceEntitlement table
  • Tier-based access (free, premium, custom)
  • Custom storage and API key limits
  • Polar subscription integration
Core Models:
  • User: User accounts with 2FA support
  • Session: Active user sessions with encrypted IPs
  • UserServiceEntitlement: Service access permissions
  • AuditLog: Complete audit trail of all actions
Database: PostgreSQL with Prisma ORM
Protection Layers:
  • Arcjet integration (rate limiting, bot detection, shield)
  • CORS handling with origin validation
  • Encrypted IP address storage (user-specific encryption)
  • Audit logging for all critical actions
  • Account ban and disable functionality

Base URL

Development: http://localhost:3000/api
Production: https://api.nullpass.xyz/api

Environment Variables

JWT_SECRET
string
required
Secret key for signing JWT tokens. Must be set in production.
JWT_EXPIRES_IN
string
default:"7d"
Token expiration time. Format: {number}{s|m|h|d} (e.g., “7d”, “24h”, “30m”)
DATABASE_URL
string
required
PostgreSQL connection string for Prisma
ARCJET_KEY
string
required
Arcjet API key for rate limiting and bot protection
INTERNAL_SECRET
string
required
Internal secret key required for Null Pass API access. This secret is used for internal authentication and authorization.

Authentication Flow

Most endpoints require authentication using a JWT token: 
Authorization: Bearer <jwt_token>
Token Structure:
  • Contains userId and email
  • Expires after 7 days (configurable via JWT_EXPIRES_IN)
  • Stored in Session table with encrypted IP address

API Endpoints

Complete API reference for all endpoints

Database Schema

Prisma schema and database structure

Security & Audit

Security features and audit logging

Service Management

Service entitlements and access control

Development

Quickstart Guide

Set up local development environment