Identity & Auth
TapPass authenticates two types of principals: humans (SSO) and AI agents (SPIFFE).
Auth chain
Section titled “Auth chain”The middleware tries four methods in order. First match wins:
| Priority | Method | Who | Protocol |
|---|---|---|---|
| 1 | SPIFFE X509-SVID | AI agents | mTLS (1h TTL, auto-rotated by SPIRE) |
| 2 | SPIFFE JWT-SVID | AI agents | Bearer token (5 min TTL) |
| 3 | Session JWT | Humans | SSO (SAML 2.0 / OIDC) |
| 4 | Admin key | Bootstrap | One-time account creation |
No match = 401. No fallback.
SPIFFE agent identity
Section titled “SPIFFE agent identity”Agents authenticate via SPIFFE IDs issued by SPIRE:
spiffe:/tappass.internal/agent/acme/research-bot └─ trust domain ─┘ └─ org ┘ └─ agent ─┘No API keys, no passwords. SPIRE handles certificate rotation automatically.
Human SSO
Section titled “Human SSO”Three methods:
| Provider | Protocol |
|---|---|
| Google Workspace | OIDC |
| Azure AD (Entra ID) | OIDC or SAML 2.0 |
| Okta | OIDC or SAML 2.0 |
See the SSO guide for configuration.
super_admin (40): cross-org access, all operationsorg_admin (30). team management, pipeline configdeveloper (20). agent registration, API accessauditor (10). read-only: audit trail, complianceemployee (0). dashboard, OAuth connectionsSecurity
Section titled “Security”- Constant-time login: always runs bcrypt, even for unknown emails (prevents user enumeration)
- Brute-force protection: per-IP and per-email lockout (5 attempts, 15 min cooldown)
- Session revocation: single-session and revoke-all-sessions support
- SAML signature verification: full XML digital signature chain with wrapping attack prevention