Zone 0

Auth Gateway

Identity verification, MFA enforcement, and session token issuance. Every request to bRRAIn starts here — no exceptions.

Full architecture Security
Z0 Auth Gateway Z1 API Router Z2 Session Manager Z3 Memory Engine Z4 Compute Sandbox Z5 Integration Layer Z6 MCP Gateway Z7 Security Policy Engine

Overview

The Auth Gateway is the front door of the bRRAIn platform. It handles all identity verification, multi-factor authentication enforcement, and session token issuance. No request reaches any internal zone without first passing through Zone 0. This zone integrates with enterprise identity providers via SAML 2.0 and OpenID Connect, enforces account lockout policies, and applies rate limiting on authentication endpoints to prevent brute-force attacks.

Key capabilities

Identity Verification

Validates user identity against configured identity providers before issuing session tokens.

MFA Enforcement

Enforces multi-factor authentication based on role tier — mandatory for Tier 0-2, configurable for others.

SAML 2.0 / OIDC Integration

Seamless integration with enterprise SSO providers including Okta, Azure AD, and Google Workspace.

Session Token Issuance

Issues cryptographically signed, time-limited session tokens with embedded role and workspace context.

Account Lockout

Progressive lockout after failed authentication attempts — 5 failures triggers a 15-minute lockout.

Rate Limiting

Per-IP and per-account rate limiting on auth endpoints to prevent credential stuffing and brute-force attacks.

Security implications

How Zone 0 enforces bRRAIn's zero-trust security model:

  • Every request must authenticate through Zone 0 before reaching any other zone
  • Session tokens are cryptographically signed and time-limited (configurable, default 8 hours)
  • Failed authentication attempts are logged and trigger progressive lockout
  • MFA is enforced for all administrative roles (Tier 0-2)
  • IP-based rate limiting prevents brute-force and credential stuffing attacks
Every zone enforces its own security boundary. No zone trusts another implicitly.

How it connects

Zone 0 issues authenticated session tokens that Zone 1 validates on every subsequent request.

Zone 0 Auth Gateway Zone 1 — API Router Zone 7 — Security Policy Engine inspects all zone transitions

Related certifications

bRRAIn professionals who interact with Zone 0:

Access Controller

Configures and audits authentication policies, MFA requirements, and session management.

See Zone 0 in action

Request a demo to see how bRRAIn's zero-trust architecture protects your institutional memory.

Request a demo Explore architecture