wololo
Get access

Invite Gate

Wololo is invite-only during private beta. Every sign-up requires a valid invite code issued by the platform team.

Flow

1. You receive an invite code (email from team)
2. Visit getwololo.dev → "Get early access" → /invite
3. Enter your code → validated server-side (no plaintext stored)
4. Short-lived httpOnly cookie set (1hr TTL)
5. Redirected to /sign-up — middleware enforces cookie presence
6. Complete Clerk sign-up
7. /onboard — RSC layout atomically claims (marks code used)
8. Provision proceeds — access_granted = true on your tenant

Security design

  • Hash-only storage. Codes are stored as SHA-256 hashes. Plaintext never hits the database.
  • Single use. The claim is atomic (UPDATE WHERE used=false). Race conditions cannot result in double-use.
  • httpOnly cookie. The validated code is passed via a server-set httpOnly cookie — never in URL params or localStorage.
  • Middleware gate. The /sign-up route is guarded server-side. Without a valid cookie, you cannot reach sign-up.
  • TTL enforced. Codes expire after a platform-configured window. Expired codes return the same generic error as invalid codes.

Pre-launch hardening (tracked in #148)

  • Rate limiting on POST /api/invite/validate
  • Generic error responses (no oracle attack surface)
  • Key rotation audit for admin-issued codes