Authentication

✅ Verified

Route prefixes & auth mechanisms against Axowl.Infra/Middleware/TenantResolutionMiddleware.cs, Axowl.Auth/Services/Identity/IdentityServiceImpl.cs:113-143 — 2026-06-22. Field-level detail ⚠️ pending OpenAPI.

Axowl exposes several authentication mechanisms depending on the caller.

Route taxonomy

Prefix	Caller	Auth
/api/org/{slug}/*	Dashboard (org member)	Session token; org + membership resolved by TenantResolutionMiddleware.
/api/public/*	SDK / end user	Application key and/or per-org RS256 JWT.
/api/m2m/token	Server-to-server	Exchanges an org API key (ah_live_…) for a token.
/scim/v2/{orgSlug}/*	IdP provisioning	SCIM bearer token.
/api/v1/admin/*	Platform admin	Session token.

End-user tokens (RS256)

End-user JWTs are signed with the org’s RSA key and verified via the org’s published JWKS. Server-authoritative checks (Introspect, CheckPermission) read fresh permissions from the database (IdentityServiceImpl.cs:226), so revocations apply immediately.

M2M API keys

Org API keys are prefixed ah_live_ and presented as Authorization: Bearer ah_live_… (IdentityServiceImpl.cs:124). They are SHA-256 hashed at rest and scoped to one org.

M2M API keys are scoped to a single organization and can be rotated or revoked from Settings → Keys.