Governance Service Authentication and RBAC
Most Governance Service routes require a bearer credential. Governance Service delegates validation to Auth Service and then enforces organization and project access based on the returned user context.
Supported Credential Types
Section titled “Supported Credential Types”- End-user JWTs issued through the configured identity provider flow.
- Auth Service API keys for machine integrations.
- Service-account tokens used by platform worker workflows.
Access Checks
Section titled “Access Checks”Project-scoped routes require project membership or platform-level access. Privileged actions require roles and permissions returned by Auth Service. External integrations should request only the scopes and project access they need.
Integration Header
Section titled “Integration Header”Customer systems should send:
Authorization: Bearer <token-or-api-key>Never place bearer credentials in URLs or logs.