Authentication and Error Model

Access authentication

Common mints short-lived ES256 access JWTs.

SynckHub verifies JWTs via JWKS and must operate with cached keys when Common is unavailable.

Service authentication

Infra-to-control-plane calls use opaque infra bearer tokens minted by Common.

Do not reuse user JWT assumptions for infra service identity.

Refresh/session model

Common refresh tokens are cookie-based and origin-constrained.

Client behavior must follow Common cookie and allowed-origin rules, especially across multiple origins.

Error envelope

Common and platform contracts use stable error shape:

{ "code": "SOME_CODE", "message": "human-readable message" }

Treat code as the machine contract and message as operator context.

Previous
Developers
Next
Public Share Infra Routing