---
title: "Issue Mandates"
url: "https://docs.caracal.run/services/sts/"
markdown_url: "https://docs.caracal.run/markdown/services/sts.md"
description: "Service reference for token exchange, mandate issuance, JWKS, policy evaluation, and step-up status."
page_type: "reference"
concepts: []
requires: []
---

# Issue Mandates

Canonical URL: https://docs.caracal.run/services/sts/
Markdown URL: https://docs.caracal.run/markdown/services/sts.md
Description: Service reference for token exchange, mandate issuance, JWKS, policy evaluation, and step-up status.
Page type: reference
Concepts: none
Requires: none

---

STS is the authority issuance boundary. It authenticates applications, validates sessions and delegated authority, evaluates policies, handles step-up challenges, and returns scoped mandate JWTs.

## Runtime

| Property | Value |
| --- | --- |
| Port | `8080` |
| Token exchange | `POST /oauth/2/token` |
| JWKS | `GET /.well-known/jwks.json?zone_id={zone}` |
| Step-up status | `GET /step-up/{id}` |
| Health/readiness | `GET /health`, `GET /ready` |
| Metrics | `GET /metrics`, `GET /metrics.json` |
| Internal policy simulation | `POST /internal/policy/simulate` |

## Dependencies

| Dependency | Purpose |
| --- | --- |
| Postgres | Applications, grants, resources, policies, sessions, step-up challenges, signing keys. |
| Redis | Policy/key invalidation, revocation, provider coordination, audit emission. |
| Zone KEK | Decrypt signing and secret material. |
| Gateway HMAC key | Verify Gateway-authenticated exchanges. |
| Audit replay dir | Persist audit events while Redis/Audit is unavailable. |

## Issuance Rules

| Rule | Behavior |
| --- | --- |
| Resource mandate TTL | Capped at 15 minutes. |
| Session mandate TTL | Capped at 60 minutes. |
| `MAX_GRANT_TTL_SECONDS` | Defaults to `3600`. |
| `OPA_POLL_SECONDS` | Defaults to `60`, capped at `300`. |
| Published modes | Require `GATEWAY_STS_HMAC_KEY` and audit/stream keys where configured. |

## Failure Posture

Invalid client credentials, missing resources, invalid subject tokens, revoked sessions, unsatisfied step-up, policy denial, invalid delegation, and failed Gateway signatures deny exchange. Gateway-authenticated mandate use is additionally held to the resource's native operation floor: an operation that is not declared on an enforced resource, or whose required scope is absent from the mandate, is denied with `operation_not_permitted` independently of policy.

## Next Step

Use [Protect Upstreams](/services/gateway/) to understand how Gateway validates inbound authority and performs per-request STS exchange.

## Related Pages

- [Exchange Tokens](/architecture/token-exchange-flow/)
- [Use STS Endpoint](/api/sts/)
- [Step-Up Challenges](/concepts/step-up/)
