Issue Mandates
STS is the authority issuance boundary. It authenticates applications, validates sessions and delegated authority, evaluates policies, handles step-up challenges, and returns scoped mandate JWTs.
Runtime
Section titled “Runtime”| Property | Value |
|---|---|
| Port | 8080 |
| Token exchange | POST /oauth/2/token |
| JWKS | GET /.well-known/jwks.json?zone_id={zone} |
| Step-up status | GET /step-up/{id} |
| Health/readiness | GET /health, GET /ready |
| Metrics | GET /metrics, GET /metrics.json |
| Internal policy simulation | POST /internal/policy/simulate |
Dependencies
Section titled “Dependencies”| Dependency | Purpose |
|---|---|
| Postgres | Applications, grants, resources, policies, sessions, step-up challenges, signing keys. |
| Redis | Policy/key invalidation, revocation, provider coordination, audit emission. |
| Zone KEK | Decrypt signing and secret material. |
| Gateway HMAC key | Verify Gateway-authenticated exchanges. |
| Audit replay dir | Persist audit events while Redis/Audit is unavailable. |
Issuance Rules
Section titled “Issuance Rules”| Rule | Behavior |
|---|---|
| Resource mandate TTL | Capped at 15 minutes. |
| Session mandate TTL | Capped at 60 minutes. |
MAX_GRANT_TTL_SECONDS | Defaults to 3600. |
OPA_POLL_SECONDS | Defaults to 60, capped at 300. |
| Published modes | Require GATEWAY_STS_HMAC_KEY and audit/stream keys where configured. |
Failure Posture
Section titled “Failure Posture”Invalid client credentials, missing resources, invalid subject tokens, revoked sessions, unsatisfied step-up, policy denial, invalid delegation, and failed Gateway signatures deny exchange. Gateway-authenticated mandate use is additionally held to the resource’s native operation floor: an operation that is not declared on an enforced resource, or whose required scope is absent from the mandate, is denied with operation_not_permitted independently of policy.
Next Step
Section titled “Next Step”Use Protect Upstreams to understand how Gateway validates inbound authority and performs per-request STS exchange.

