Mindful Auth - Astro Troubleshooting

“Tenant not allowed” error

• Ensure your domain is onboarded in Mindful Auth
• Verify the tenant domain in your Worker matches the one registered in Mindful Auth

Session validation fails

• Check that MAUTH_SITE_KEY is set correctly
• Verify the key matches the one generated for your tenant

Missing MAuth layout (500 Internal Server Error)

Every HTML page in your app must be wrapped with either MAuthPublic (public auth pages) or MAuthProtected (protected [memberid] pages). These layouts inject MAuthMainScript — the core client-side auth system. Forgetting them is a runtime error, not a silent failure.

The middleware detects whether MAuthMainScript was rendered on each HTML page. If a page serves HTML without it, the server returns a 500 Internal Server Error and logs the following:

[MAuth] SECURITY ERROR: MAuthMainScript was not rendered on this page.
  - Protected pages ([memberid]/*) must use MAuthProtected layout.
  - Public auth pages must use MAuthPublic layout.

This check runs in all environments — development, preview, and production.

Why this matters

MAuthMainScript provides critical functionality that the entire auth system depends on:

• Frame-busting protection — prevents your pages from being embedded in malicious iframes (clickjacking defense)
• window.apiFetch() — the global fetch wrapper that adds required headers (X-Requested-With, X-Tenant-Domain) and credential handling to every auth API call. Without it, login, logout, registration, and all other auth operations fail.
• window.handleAuthResponse() — parses error responses from the auth API. Without it, failed requests produce raw, unhelpful errors.
• window.get2FAStatus() — powers 2FA state checks across the app.

The middleware enforces authentication server-side regardless, but without the layout the client-side auth system does not exist — forms won’t submit, logout won’t work, and 2FA flows break entirely.

Fix

Public pages:

<MyLayout title="Page Title">
  <MAuthPublic scripts={[...]}>
    <!-- content -->
  </MAuthPublic>
</MyLayout>

Protected pages inside [memberid]:

<MyLayout title="Page Title">
  <MAuthProtected>
    <!-- content -->
  </MAuthProtected>
</MyLayout>

Pages are still secure without the Mindful Auth layouts

Even without the layout, the middleware continues to enforce authentication server-side. Unauthenticated users are redirected to /login and cannot access any [memberid] routes. Forgetting MAuthProtected does not create a security vulnerability or expose protected pages to unauthorized users. What breaks is entirely on the client side. Once an authenticated user lands on the page, the Mindful Auth system will not have scripts to run. Logout stops working, API calls fail, and 2FA flows break.