Skip to content

Token Flows

Auth Service normalizes credential validation for users, API keys, and service-account workflows.

Users sign in through Governance Studio and the configured identity provider. Auth Service validates incoming tokens, enriches user context, and returns membership and permission information to platform services.

For providers that require exchange, Auth Service can issue platform-enriched tokens backed by its own signing keys and JWKS endpoint. In v0.2, token exchange is used for Keycloak and Microsoft Entra ID flows. Auth0 and generic OIDC deployments rely on provider-issued access tokens and Auth Service validation.

Refresh-token behavior is configurable for providers and flows that use Auth Service issued tokens. Operators should configure expiry, rotation, and binding behavior according to customer security requirements.

Service accounts support worker and machine workflows. Their tokens should be treated as privileged bearer credentials and stored only in approved secret systems.