Skip to main content

Authenticate Users

This page shows how a solution validates user identity and project context. The platform provides Keycloak-issued JWTs (multi-realm OIDC/PKCE); your service is responsible for validating the signature, extracting claims, and propagating context to downstream calls. For the full platform-side authentication architecture (realm-per-org, JWKS rotation, SSO providers), see Platform › Authentication and Security › Authentication.

Request flow

Steps

1

Add JWT validation as a FastAPI dependency

Use python-jose to verify the token against the realm’s JWKS. Cache the JWKS for ~10 minutes to avoid hammering Keycloak.
packages/api/src/api/auth.py
2

Protect your endpoints

packages/api/src/api/main.py
Routes that need auth declare current_user and (when project context matters) project_id as dependencies. Health probes stay unauthenticated.
3

Read identity, project, and roles from claims

Standard claims you’ll use:
ClaimMeaningNotes
subUser UUIDStable across sessions
issIssuer URLRealm path encodes org_id (last path segment)
audAudienceMust equal your service’s client_id
expExpiryUNIX seconds
org_idOrganizationCustom claim — also extractable from iss
groupsGroup membershipsUsed by Governance for role mapping
Helper to extract org_id from the issuer when the custom claim isn’t set:
4

Check permissions via Governance

Solutions never implement RBAC themselves — they delegate to OpenFGA via Governance. Forward the user’s JWT and the resource ID; Governance returns allow/deny.
Use the auto-generated Python SDK instead of raw HTTP in real services — it handles error mapping, retries, and OpenAPI-validated request shapes.
5

Write a test fixture for a forged dev JWT

Local tests should not call real Keycloak. Generate a signed token with a fixture private key and load the matching public key as a JWKS override.
tests/conftest.py
Generate the keypair once with openssl:
Configure your current_user dependency to load tests/fixtures/dev-public.pem as JWKS in test mode (e.g., when PYTEST_CURRENT_TEST is set).

Service-to-service auth

When your solution’s worker calls another service (or back into Governance/Assets), it can’t use a user’s JWT. Use a service account: a Keycloak client with client_credentials grant. See Platform › Service Accounts for the management API.
The service-account client must be granted the same OpenFGA roles you’d grant a user. Cache tokens for expires_in - 60 seconds to avoid thundering herds at expiry.

Common errors

See the auth section of Troubleshooting.

Next steps

Manage secrets

Move KEYCLOAK_AUDIENCE and DB creds out of .env.

RBAC configuration

Configure OpenFGA roles for your solution’s resources.

API authentication

Reference for all platform-API auth headers.

SDKs › Python

Use the auto-generated SDK instead of raw HTTP.