Skip to content

Issue Mandates

STS is the authority issuance boundary. It authenticates applications, validates sessions and delegated authority, evaluates policies, handles step-up challenges, and returns scoped mandate JWTs.

PropertyValue
Port8080
Token exchangePOST /oauth/2/token
JWKSGET /.well-known/jwks.json?zone_id={zone}
Step-up statusGET /step-up/{id}
Health/readinessGET /health, GET /ready
MetricsGET /metrics, GET /metrics.json
Internal policy simulationPOST /internal/policy/simulate
DependencyPurpose
PostgresApplications, grants, resources, policies, sessions, step-up challenges, signing keys.
RedisPolicy/key invalidation, revocation, provider coordination, audit emission.
Zone KEKDecrypt signing and secret material.
Gateway HMAC keyVerify Gateway-authenticated exchanges.
Audit replay dirPersist audit events while Redis/Audit is unavailable.
RuleBehavior
Resource mandate TTLCapped at 15 minutes.
Session mandate TTLCapped at 60 minutes.
MAX_GRANT_TTL_SECONDSDefaults to 3600.
OPA_POLL_SECONDSDefaults to 60, capped at 300.
Published modesRequire GATEWAY_STS_HMAC_KEY and audit/stream keys where configured.

Invalid client credentials, missing resources, invalid subject tokens, revoked sessions, unsatisfied step-up, policy denial, invalid delegation, and failed Gateway signatures deny exchange. Gateway-authenticated mandate use is additionally held to the resource’s native operation floor: an operation that is not declared on an enforced resource, or whose required scope is absent from the mandate, is denied with operation_not_permitted independently of policy.

Use Protect Upstreams to understand how Gateway validates inbound authority and performs per-request STS exchange.