Security features and best practices
View All Tags
When we designed Thresh Hub's authentication, we made a deliberate choice: opaque tokens with server-side validation instead of JWTs. The three key families (thresh_live_*, thresh_mid_*, thresh_cli_*) are random hex/base64 strings with no embedded claims. Every request validates against a SHA-256 hash stored in the database.
Here's why — and how the whole system fits together.
When you're managing a fleet of development environments across a network, the transport layer isn't just plumbing — it's the nervous system. Every heartbeat, every command dispatch, every metrics payload depends on it. We needed something that was real-time, resilient, and could degrade gracefully when the network couldn't cooperate.
We chose ASP.NET SignalR as the primary transport, with REST polling as automatic failover. Here's why, and exactly how it works under the hood.
In an era of increasing software supply chain attacks, transparency and trust are paramount. That's why thresh publishes a Software Bill of Materials (SBOM) with every release, giving you complete visibility into our dependencies and supply chain.