Auth Service
gRPC-based authentication service supporting Passkeys (WebAuthn/FIDO2), Google OAuth, API Keys, and Service Accounts with multi-tenant organization support.
Service Architecture
| Protocol | Port | Description |
|---|
| gRPC | 50051 | Primary API (Tonic/Prost) |
| HTTP | 8080 | Health checks only |
Authentication Methods
Human Authentication
| Method | Status | Description |
|---|
| Passkey (WebAuthn) | Primary | FIDO2 credentials with biometric verification |
| Google OAuth | Available | Social login via Google ID tokens |
| Magic Link | Disabled | Email provider not configured |
Machine Authentication
| Method | Format | Description |
|---|
| API Keys | tenzro_k_[64-char] | Long-lived keys with scopes (read, write, admin) |
| Service Accounts | sa_[16-char] | OAuth 2.0 Client Credentials for M2M |
gRPC Endpoints
Session Management
| Method | Description |
|---|
CreateSession | Create new session with JWT access + refresh tokens |
ValidateSession | Verify JWT token is valid and not revoked |
RefreshSession | Get new access token using refresh token |
RevokeSession | Invalidate session |
Passkey / WebAuthn
| Method | Description |
|---|
StartPasskeyRegistration | Begin passkey registration, get challenge |
CompletePasskeyRegistration | Complete registration with credential |
StartPasskeyAuthentication | Begin passkey auth, get challenge |
CompletePasskeyAuthentication | Complete auth with signature |
ListPasskeys | List user's registered passkeys |
RemovePasskey | Delete a passkey |
OAuth
| Method | Description |
|---|
VerifyOAuthToken | Validate Google ID token, create session |
API Keys
| Method | Description |
|---|
CreateApiKey | Generate new API key (secret returned only once) |
ValidateApiKey | Verify API key, create session |
RevokeApiKey | Deactivate API key |
ListApiKeys | List owner's API keys |
RotateApiKey | Generate new key, revoke old one |
Service Accounts
| Method | Description |
|---|
CreateServiceAccount | Create service account (secret returned only once) |
AuthenticateServiceAccount | Login with client_id + client_secret |
GetServiceAccount | Retrieve service account details |
UpdateServiceAccount | Modify service account |
DeleteServiceAccount | Deactivate service account |
ListServiceAccounts | List service accounts |
RotateServiceAccountSecret | Generate new secret |
Organizations (Sub-Tenants)
| Method | Description |
|---|
CreateOrganization | Create organization, owner auto-added |
GetOrganization | Retrieve organization |
UpdateOrganization | Modify organization |
DeleteOrganization | Deactivate organization |
ListOrganizations | List organizations with pagination |
AddUserToOrganization | Add member with role |
RemoveUserFromOrganization | Remove member |
ListOrganizationMembers | List members with role filter |
JWT Token Structure
Access tokens use HS256 (HMAC-SHA256) with the following claims:
{
"sub": "user_id",
"sid": "session_id",
"aud": "application_id",
"iat": 1705312800,
"exp": 1705399200,
"token_type": "access"
}
Token Expiration
| Token Type | Validity |
|---|
| Access Token | 24 hours |
| Refresh Token | 30 days |
| API Key Session | 1 hour |
| Service Account Session | 1 hour |
Organization Tiers
| Tier | Description |
|---|
free | Basic access |
starter | Small teams |
professional | Growing organizations |
enterprise | Full features, Canton integration |
Organization Member Roles
| Role | Permissions |
|---|
owner | Full control, billing, delete organization |
admin | Manage members, settings |
member | Standard access |
viewer | Read-only access |
API Key Scopes
| Scope | Description |
|---|
read | Read-only operations |
write | Create and modify resources |
admin | Administrative operations |
Security Features
- WebAuthn challenge expiration: 10 minutes
- Cloning detection via passkey counter field
- JWT secret minimum: 32 characters
- API keys stored as SHA-256 hashes only
- Service account secrets stored as SHA-256 hashes only
- IP address hashing for session tracking