Security Reference - Char

This page describes implemented security controls in the current auth model.

Ticket exchange security (`/api/auth/pk-ticket`)

Validate publishable_key format
Hash key and look up active key record
Resolve org context from key
Enforce per-key allowed_origins (required, no org-level fallback)
If id_token provided: validate signature/issuer/audience using org IDP config
Issue short-lived ticket with org + user identity

Publishable key controls

Control	Behavior
Stored format	SHA-256 hash (`key_hash`), never plaintext
Display format	Prefix only (`key_prefix`) in UI
Revocation	Immediate via `revoked_at`
Origin restrictions	Per-key `allowed_origins` (required on every key, no org fallback)
Usage tracking	Best-effort `last_used_at` updates

Token validation controls

Claim	Validation
`iss`	Must match configured issuer/domain
`sub`	Required for identity mapping
`aud`	Must match configured allowed audience(s)
`exp`	Must be valid at verification time

Algorithms are limited to asymmetric signatures (no none, no shared-secret algorithm bypasses).

Runtime isolation

Component	Isolation boundary
ThreadManager DO	User/org scoped metadata and connection state
ThreadAgent DO	Thread-scoped execution state
Tool routing	Routed to connection that registered the tool

Recommended operational practices

Scope keys by environment (dev/staging/prod)
Restrict key origins tightly
Revoke keys during incident response
Keep IDP issuer/audience config in sync with auth provider
Monitor auth failures (INVALID_KEY, origin failures, token failures)

Identity Providers

Authentication

Token Issuer MetadataA CIMD extension for passive token validation that eliminates manual SSO configuration

Ticket exchange security (/api/auth/pk-ticket)
Publishable key controls
Token validation controls
Runtime isolation
Recommended operational practices