Skip to main content

Auth Primitive — IAM Service

The IAM Service is the platform's identity and access management backbone. It is the sole issuer of JWTs, the only service that writes to user and role tables, and the source of truth for every permission check in the API Gateway. Every other service trusts the JWT; no other service manages authentication directly.

Responsibilities

ResponsibilityDetail
AuthenticationEmail + password, OAuth providers, TOTP MFA, SSO (SAML 2.0 + OIDC federation)
Token issuanceJWT ES256 access tokens (15 min) + refresh tokens (7 days)
AuthorisationRole and permission management; gRPC ValidateToken for the Gateway
Tenant managementTenant creation, blocking, hierarchy traversal, ownership transfer
OIDC ProviderFull OAuth 2.1 + OpenID Connect IdP for external apps and AI agents
Custom ClaimsModule-registered claims injected into every user JWT at login

Technical Stack

ParameterValue
LanguageGo
Service pathservices/iam/
PortInternal — consumed by Gateway over gRPC
OpenAPI specservices/iam/api/openapi.yaml (1 450 lines — largest spec in the platform)
gRPC protoproto/platform/iam/v1/iam_service.proto
DatabasePostgreSQL with two migration files (OAuth tables + RLS policies)
sqlcservices/iam/sqlc.yaml

13 Internal Packages

PackagePurpose
internal/authLogin, register, token generation (JWT ES256)
internal/configEnvironment-based configuration
internal/dataData access abstractions
internal/handlerHTTP request handlers
internal/mfaTOTP (pquerna/otp), 10 recovery codes
internal/middlewareIAM-specific middleware (request context, tracing)
internal/oauthappOAuth application management (client IDs, secrets, scopes)
internal/oidcOIDC provider implementation (ory/fosite)
internal/providerPluggable auth adapters (Google, GitHub, MetaMask, SAML, …)
internal/rbacRole-Based Access Control engine
internal/repositoryPostgreSQL repositories generated by sqlc
internal/tenantMulti-tenant logic, B2B2B hierarchy traversal
internal/userUser domain logic (profile, status, providers)

3 gRPC Services

The IAM service is consumed exclusively via gRPC by the API Gateway. REST calls from clients pass through the Gateway, which translates them to gRPC.

gRPC serviceKey RPCsConsumers
IamServiceCreateUser, RetrieveUser, ListUsers, UpdateUser, DeleteUserGateway, Data Layer
AuthServiceLogin, Refresh, ValidateTokenGateway (every authenticated request)
TenantHierarchyServiceIsDescendant, GetTenantStatusGateway delegation middleware

ValidateToken is called on every single request that carries a Authorization: Bearer header. It verifies the ES256 signature, checks expiry, and returns the decoded claim set including roles[] and tenantId. The Gateway never decodes JWTs without an IAM verification pass.

35+ REST Endpoints

All REST endpoints are exposed through the API Gateway at https://api.septemcore.com/v1/. The IAM service never faces the public internet directly.

GroupEndpointsCount
Core AuthPOST /auth/register, POST /auth/login, POST /auth/logout, POST /auth/refresh, GET /auth/me5
MFAPOST /auth/mfa/enable, POST /auth/mfa/verify, POST /auth/mfa/disable, POST /auth/recovery, GET /auth/recovery-codes, POST /auth/recovery-codes/regenerate6
Security flowsPOST /auth/verify-email, POST /auth/request-verify-email, POST /auth/request-reset, POST /auth/reset-password, POST /auth/invite, POST /auth/accept-invite6
OAuth ProvidersGET /auth/providers, POST /auth/login/:providerId, GET /auth/callback/:providerId3
UsersPOST /users, GET /users, GET /users/:id, PATCH /users/:id, DELETE /users/:id, PATCH /users/:id/restore6
User providersGET /users/:id/providers, POST /users/:id/providers/:providerId, DELETE /users/:id/providers/:providerId3
RBACPOST /roles, GET /roles, GET /roles/:id, PATCH /roles/:id, DELETE /roles/:id, POST /users/:id/roles, DELETE /users/:id/roles/:roleId, GET /permissions8
Multi-tenantGET /auth/tenants, POST /auth/select-tenant, POST /auth/switch-tenant3
Custom claimsGET /auth/claims, POST /auth/claims, DELETE /auth/claims/:name3
OIDCGET /.well-known/openid-configuration, GET /.well-known/jwks.json, GET /oauth/authorize, POST /oauth/token, GET /oauth/userinfo, POST /oauth/revoke, POST /oauth/introspect7
SSOGET /auth/sso/providers, POST /auth/sso/providers, PATCH /auth/sso/providers/:id, DELETE /auth/sso/providers/:id, GET /auth/sso/login/:id, POST /auth/sso/callback/:id, GET /auth/sso/metadata7
TenantsPOST /tenants, GET /tenants, GET /tenants/:id, PATCH /tenants/:id, DELETE /tenants/:id, and action endpoints10+

Security Characteristics

PropertyValue
JWT algorithmES256 (ECDSA P-256)
Access token TTL15 minutes
Refresh token TTL7 days (per-tenant scoped — stolen token ≠ access to other tenants)
Password hashingArgon2id — 64 MB memory, 1 iteration, 4 threads, 32-byte key (NIST 800-63B)
Minimum password length12 characters
MFATOTP RFC 6238 (30-second window, 10 recovery codes, Argon2id-hashed)
Anti-enumerationConstant-time responses on register, login, invite, and password reset
Refresh token rotationEvery refresh call issues a new refresh token; the previous is revoked
Session isolationRefresh tokens are tenant-scoped

Pluggable Auth Adapters

The IAM service ships five adapter categories. Any adapter returns a UserIdentity struct — the kernel takes it from there (creates/finds user, assigns tenant, issues JWT):

CategoryExamples
oauthGoogle, Apple, GitHub
walletMetaMask, WalletConnect
socialTelegram, Discord
bankingBankID, Monobank, Sber ID
enterpriseActive Directory, LDAP, SAML 2.0, OIDC Federation
customAny future provider via the AuthProvider interface

SDK Quick Reference

import { useAuth } from '@platform/sdk-auth';

const { user, isLoading, login, logout, refresh } = useAuth();

Full authentication lifecycle, MFA, provider management, and role operations are documented in the following pages: