AegisAegis
Dashboard
AegisAegis Developer Portal

Developer Search

Press ⌘K or Ctrl+K to jump through guides and public API docs for user-owned master key and scoped credential flows.

Authentication

Authentication Onboarding

One path for user apps and one for broker workloads. Both paths require short-lived tokens, explicit scope grants, and request-level proof binding for lease operations.

User API Path

  1. Authenticate user with Firebase Auth.
  2. Derive and protect the user master key locally; never transmit plaintext key material.
  3. Call `MintUserApiToken` with specific credential selectors.
  4. Store broker token in memory only.
  5. Call lease APIs with DPoP `request_proof` per request.
  6. Rotate and revoke on incident indicators.
{
  "tenant_id": "business-default",
  "requested_scopes": [
    "credential.lease.create:provider:gcp:app:billing-prod:account:deploy-bot",
    "credential.lease.redeem:provider:gcp:app:billing-prod:account:deploy-bot"
  ],
  "requested_ttl_seconds": 600,
  "pop_key_id": "key-01"
}

MCP OAuth Device Path

  1. MCP calls `BeginMcpOauthDeviceAuthorization` and displays verification code + URL.
  2. User logs in through browser and approves the device authorization request.
  3. MCP polls `ExchangeMcpOauthDeviceAuthorization` until status `success`.
  4. No static API keys are required; keep returned broker token in memory only.
  5. Bind all lease requests with DPoP JWT or mTLS fingerprint proof.
{
  "proof_type": "dpop_jwt",
  "dpop_jwt": "<signed-jwt-with-htm-htu-ath-jti-iat-nonce>",
  "nonce": "nonce-create-0001"
}

Readiness Checklist

  • All production auth calls use secure headers only (`ALLOW_INSECURE_USER_HEADER=false`).
  • Scope grants are selector-specific for credentials.
  • Replay checks are validated in CI (`jti` / nonce uniqueness).
  • mTLS or DPoP key lifecycle is documented and monitored.
  • Support playbook exists for compromised key or token response.
Open Error CatalogOpen Security Controls