API Keys and Service Accounts
Auth Service supports API keys for machine integrations and service accounts for platform worker workflows.
API Keys
Section titled “API Keys”API keys authenticate machine callers. They should have a clear owner, purpose, scope, expiration policy, and revocation procedure.
Service Accounts
Section titled “Service Accounts”The governance worker service account allows scheduled and automated workflows
to create declarations without an end-user session. The released flow uses the
bootstrapped governance-worker service account; custom service-account
creation is not a general customer self-service workflow in v0.2. The worker
requires identity-provider setup, Auth Service configuration, and DID key
reconciliation before automated declarations are enabled.
Secret Handling
Section titled “Secret Handling”- Store API secrets and service-account credentials in Kubernetes secrets or an approved secret manager.
- Rotate credentials according to customer policy.
- Revoke keys when integrations are removed.
- Avoid logging plaintext keys or bearer tokens.