Skip to content

Token Flows

Auth Service supports several credential flows. Use the flow that matches the user or integration.

Users sign in through the configured identity provider. Auth Service validates the provider-issued identity and supplies platform role and membership context to other services.

API keys are for machine access owned by a user or integration. Store them in a secrets manager, rotate them regularly, and revoke them when they are no longer needed.

Service accounts are for trusted platform services and backend integrations. They are configured by operators and should not be used as a substitute for human user accounts.

Keycloak and Microsoft Entra deployments can use Auth Service token exchange and Auth Service-issued refresh tokens. Auth0 and generic OIDC deployments rely on provider-issued tokens and do not expose the token-exchange workflow.

Use the generated API reference for exact request formats.