Authentication Flow
End-to-End Auth Architecture
Token Types
| Token | Issuer | Contents | Lifetime |
|---|---|---|---|
| Cognito ID Token | AWS Cognito | User identity claims | 1 hour |
| App Access Token | Identity Service | User + tenant + roles | 1 hour |
| Refresh Token | Identity Service | Token refresh grant | 30 days |
| API Key | Organization Service | Machine authentication | Configurable |
Guard Chain
Every authenticated request passes through guards in order:
- JwtAuthGuard - Validates JWT signature and expiry
- TenantGuard - Extracts tenant context from token
- RolesGuard (optional) - Checks
@Roles()decorator - PermissionsGuard (optional) - Checks
@Permissions()decorator