Skip to content

Use STS Endpoint

STS is served on port 8080 and issues scoped Caracal mandate JWTs.

MethodPathPurpose
POST/oauth/2/tokenOAuth token exchange for resource, session, Gateway, or delegated mandates.
GET/.well-known/jwks.json?zone_id={zone}Public signing keys for mandate verification, scoped per zone.
GET/step-up/{id}Step-up challenge status.
GET/healthLiveness check.
GET/readyReadiness check.
GET/metricsPrometheus metrics.
GET/metrics.jsonJSON metrics.

POST /oauth/2/token accepts form-encoded parameters.

ParameterPurpose
grant_typeOAuth grant type.
subject_token, subject_token_typeExisting authority to exchange.
actor_tokenOptional actor authority.
resourceOne or more target resource identifiers.
scopeRequested scopes.
zone_idZone boundary.
application_idCalling application.
client_secret, client_assertion, client_assertion_typeApplication authentication.
session_id, agent_session_id, delegation_edge_idSession and delegation anchors.
ttl_secondsRequested TTL.
challenge_id, challenge_responseStep-up completion.

Successful exchanges return an OAuth-style token response with access_token, token_type, expires_in, and related fields. Step-up returns interaction_required with challenge data. Errors use the shared error and error_description shape.

MethodPathPurpose
POST/internal/policy/simulateSimulate policy input.
GET/internal/policy/status/{zoneID}Inspect policy load status.
POST/internal/zones/{zoneID}/signing-key/rotateRotate zone signing key.

Internal endpoints are for service/admin integration, not normal application traffic.

Use Proxy Through Gateway to understand how Gateway validates inbound authority and exchanges with STS per request.