Token Flows
Auth Service normalizes credential validation for users, API keys, and service-account workflows.
User Tokens
Section titled “User Tokens”Users sign in through Governance Studio and the configured identity provider. Auth Service validates incoming tokens, enriches user context, and returns membership and permission information to platform services.
Token Exchange
Section titled “Token Exchange”For providers that require exchange, Auth Service can issue platform-enriched tokens backed by its own signing keys and JWKS endpoint. In v0.2, token exchange is used for Keycloak and Microsoft Entra ID flows. Auth0 and generic OIDC deployments rely on provider-issued access tokens and Auth Service validation.
Refresh Tokens
Section titled “Refresh Tokens”Refresh-token behavior is configurable for providers and flows that use Auth Service issued tokens. Operators should configure expiry, rotation, and binding behavior according to customer security requirements.
Service Accounts
Section titled “Service Accounts”Service accounts support worker and machine workflows. Their tokens should be treated as privileged bearer credentials and stored only in approved secret systems.