> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nullpass.xyz/llms.txt
> Use this file to discover all available pages before exploring further.

# Null Pass Documentation

> Technical documentation for Null Pass authentication and service management system

<Hero title="Null Pass Internal Docs" subtitle="Technical documentation for the Null Pass authentication and service management platform" image="/nullpass.svg" />

<Warning>
  **Internal Documentation Only:** If you're not a Null Tools developer, you can close this documentation or visit the [Apps section](/apps/coming-soon) to learn more about using Null Pass in your applications.
</Warning>

## Overview

Null Pass is an internal authentication and service management API that provides secure user authentication, two-factor authentication, session management, and service entitlements for DROP, MAILS, VAULT, and DB services.

This documentation covers the internal architecture, API endpoints, database schema, security features, and operational procedures.

<CardGroup cols={2}>
  <Card title="Quick Start" icon="rocket" href="/quickstart">
    Get up and running with Null Pass in minutes. Learn how to authenticate users and integrate our API.
  </Card>

  <Card title="Authentication" icon="key" href="/authentication">
    Understand how authentication works, including JWT tokens, 2FA, and session management.
  </Card>

  <Card title="API Reference" icon="code" href="/api-reference/auth/register">
    Complete API reference with examples for all endpoints and request/response formats.
  </Card>

  <Card title="Services" icon="server" href="/api-reference/services/overview">
    Learn about service entitlements and how to manage access to DROP, MAILS, VAULT, and DB services.
  </Card>
</CardGroup>

## System Architecture

<AccordionGroup>
  <Accordion title="Authentication System" icon="shield-check">
    **Technology Stack:**

    * JWT tokens with configurable expiration (default: 7 days)
    * bcrypt password hashing (10 rounds)
    * TOTP-based 2FA using speakeasy
    * Session management with encrypted IP storage

    **Key Components:**

    * Token generation and verification (`lib/auth.ts`)
    * Session expiration handling (`lib/session.ts`)
    * IP encryption/decryption (`lib/ip-utils.ts`)
  </Accordion>

  <Accordion title="Service Management" icon="server">
    **Supported Services:**

    * **DROP**: File storage and sharing service
    * **MAILS**: Email management service
    * **VAULT**: Crypto payment processor
    * **DB**: Database service access

    **Entitlement System:**

    * User-service entitlements stored in `UserServiceEntitlement` table
    * Tier-based access (free, premium, custom)
    * Custom storage and API key limits
    * Polar subscription integration
  </Accordion>

  <Accordion title="Database Schema" icon="database">
    **Core Models:**

    * `User`: User accounts with 2FA support
    * `Session`: Active user sessions with encrypted IPs
    * `UserServiceEntitlement`: Service access permissions
    * `AuditLog`: Complete audit trail of all actions

    **Database:** PostgreSQL with Prisma ORM
  </Accordion>

  <Accordion title="Security Features" icon="lock">
    **Protection Layers:**

    * Arcjet integration (rate limiting, bot detection, shield)
    * CORS handling with origin validation
    * Encrypted IP address storage (user-specific encryption)
    * Audit logging for all critical actions
    * Account ban and disable functionality
  </Accordion>
</AccordionGroup>

## Base URL

**Development:** `http://localhost:3000/api`\
**Production:** `https://auth.nullpass.xyz/api`

## Environment Variables

<ResponseField name="JWT_SECRET" type="string" required>
  Secret key for signing JWT tokens. Must be set in production.
</ResponseField>

<ResponseField name="JWT_EXPIRES_IN" type="string" default="7d">
  Token expiration time. Format: `{number}{s|m|h|d}` (e.g., "7d", "24h", "30m")
</ResponseField>

<ResponseField name="DATABASE_URL" type="string" required>
  PostgreSQL connection string for Prisma
</ResponseField>

<ResponseField name="ARCJET_KEY" type="string" required>
  Arcjet API key for rate limiting and bot protection
</ResponseField>

<ResponseField name="INTERNAL_SECRET" type="string" required>
  Internal secret key required for Null Pass API access. This secret is used for internal authentication and authorization.
</ResponseField>

## Authentication Flow

Most endpoints require authentication using a JWT token:

```bash theme={null}
Authorization: Bearer <jwt_token>
```

**Token Structure:**

* Contains `userId` and `email`
* Expires after 7 days (configurable via `JWT_EXPIRES_IN`)
* Stored in `Session` table with encrypted IP address

## Quick Links

<CardGroup cols={2}>
  <Card title="API Endpoints" icon="code" href="/api-reference/auth/register">
    Complete API reference for all endpoints
  </Card>

  <Card title="Database Schema" icon="database" href="/api-reference/advanced/database">
    Prisma schema and database structure
  </Card>

  <Card title="Security & Audit" icon="shield-check" href="/api-reference/advanced/security">
    Security features and audit logging
  </Card>

  <Card title="Service Management" icon="server" href="/api-reference/services/overview">
    Service entitlements and access control
  </Card>
</CardGroup>

## Development

<Card title="Quickstart Guide" icon="rocket" href="/quickstart">
  Set up local development environment
</Card>