Auth And Access designed

GPUaaS uses an OIDC-first identity model with server-side authorization. API consumers should treat the public API contract and the project-scoped access model as the integration boundary, not internal identity-provider details.

Access Patterns

Actor	Preferred path	Notes
Human user	OIDC browser or CLI login	Used for interactive workflows and project administration.
Automation	Project-scoped service account	Used for controllers, CI jobs, app operators, and backend integrations.
Future API key user	Deferred contract	API keys are a future extension; do not assume key endpoints until the contract lands.

Service Account Guidance

Use service accounts when automation keeps running after a human deploy action. The intended shape is:

1. A human project admin creates a project-scoped service account.
2. The service account mints short-lived access tokens.
3. Automation calls public GPUaaS APIs with the token.
4. Authorization remains server-side and project-scoped.

Do not reuse human operator tokens for long-running controllers. Do not build against undocumented Keycloak topology, raw JWT claim conventions, or direct database state.

Login And Project Context

Service Account Token Flow

Client Expectations

• Send bearer credentials only through approved auth channels.
• Treat tenant, project, user, and service-account boundaries as enforced by the platform.
• Use documented scopes and roles, not frontend-only assumptions.
• Preserve correlation_id from error responses for support and trace lookup.
• Expect future API-key support to be additive and contract-backed.

Related Pages

• REST API
• Idempotency And Retries
• Error Model
• Build on AI Cloud

Canonical sources

• doc/architecture/External_App_Team_Integration_Guide_v1.mdraw
• doc/architecture/adrs/ADR-004-identity-authz-model.mdraw
• doc/architecture/adrs/ADR-006-api-key-access-scope.mdraw
• doc/architecture/Service_Account_Model.mdraw
• doc/architecture/Role_and_Policy_Lifecycle_Model.mdraw
• doc/api/openapi.draft.yamlraw