# Proposal: Add Authentication & Authorization System

**Change ID:** `add-authentication`
**Status:** Proposed
**Type:** Feature
**Priority:** Critical (MVP)
**Target Release:** v0.1.0

## Summary

Implement authentication and authorization system using admin tokens for server access in MVP phase, with foundation for future user account support.

## Problem Statement

OpenSpeak needs secure access control where:
- Only authorized users can connect to server
- Users must authenticate before joining channels
- Permissions control what actions users can perform
- Admin can manage server and users

## Solution Overview

### Phase 1 (MVP): Admin Token Authentication
- Admin tokens stored locally in configuration
- Tokens passed with each gRPC request in metadata
- Server validates token on every call
- Simple permission model: admin or user

### Phase 2 (Future): User Accounts
- User registration and password-based auth
- Password hashing with bcrypt/Argon2
- Session tokens with expiration
- Refresh token mechanism

## Success Criteria

- [ ] All gRPC calls require valid token
- [ ] Invalid/expired tokens rejected with 401 error
- [ ] Tokens never logged in plaintext
- [ ] Permission checks prevent unauthorized actions
- [ ] Authentication interceptor integrated with all services
- [ ] Unit test coverage >80% for auth logic