Authentication
How authentication and authorization flow through Topolo Auth and downstream services.
Core model
Topolo Auth owns:
- user identity
- organization membership and role resolution
- service registration
- service permissions
- API key scopes and resource bindings
Downstream applications trust Auth for the authorization context they consume.
Session and access flow
- A user authenticates with Topolo Auth.
- Topolo Auth issues the access context used by the client or middleware.
- Service backends validate the presented credentials with Auth when current role or permission resolution matters.
- Protected application routes authorize against the resolved service permissions or API key scopes.
Admin-sensitive behavior
Admin-only surfaces such as API key management rely on the current Auth-resolved org role, not just stale token claims. This keeps operator permissions consistent across applications.
Where to debug
Use the internal Auth handbook for current routes, backing tables, and debugging steps when a service appears to disagree about the user role or allowed action.