Auth

Interfaces

Inbound and outbound contracts for Auth

Authentication

All endpoints require X-API-Key except GET /api/v1/health.
Keys are loaded from Secret Manager (AUTH_API_KEY) at startup.
Missing or invalid keys return 401 Unauthorized.

Base path

v1: /api/v1

Endpoint catalog

Resource	Operations	Notes
`/health`	`GET`	Health check (no auth)
`/jwt/verify`	`POST`	JWT verification helper

JWT verify contract

Request body

token (string, required)
expected_aud (string, required)
allowed_issuers (set of strings, required)
expected_nonce (string, optional)

Response body

valid (boolean)
claims (object, may be empty)
error (string, empty when valid)

Errors

401 Unauthorized for invalid JWTs or nonce mismatch.
422 Unprocessable Entity for invalid request payloads.

Outbound dependencies

JWKS endpoints derived from token issuer.
Secret Manager for API keys and optional Sentry DSN.

Last updated on

Runbooks

Operational playbooks for Auth

Configuration

Runtime configuration and environment variables for Auth

On this page

Endpoint catalog

JWT verify contract

Outbound dependencies