search
Go to websiteSupportStatusLoginSign up

Authentication & Access Control

How Taloflow authenticates users and services, and manages tokens.

hashtag
Zero Trust Architecture

Taloflow implements a zero-trust security model where all requests require explicit authentication and authorization:

  • All API requests require either machine-to-machine (M2M) tokens or user authentication tokens

  • Token scoping: Each token is limited to specific permissions and has defined expiration times

  • Service-to-service authentication: Managed through Open Policy Agent (OPA)

  • JWT verification: Requests are verified using signed JSON Web Tokens (JWTs)

hashtag
Open Policy Agent (OPA) Implementation

We use OPA (see Authorization & Permissions) as our centralized authorization system for all API requests:

  • Scope-based access control: Every request is evaluated against token scopes and user permissions

  • Service identity verification: All services must prove their identity before accessing resources

  • Request authorization flow: Each API call passes through OPA evaluation before reaching application logic

  • Centralized policy management: Authorization rules are maintained in a single, auditable location

hashtag
Failed Authentication Handling

Taloflow follows security best practices for authentication failures:

  • Auth0-managed responses: All authentication is handled through Auth0's secure infrastructure

  • Standard error messages: Failed authentication attempts receive generic error messages that do not disclose information about valid usernames or account details

  • Silent failure patterns: Security-sensitive operations fail without revealing the reason for failure to potential attackers

  • Separate error handling: API authentication errors are handled differently from UI authentication to optimize both security and user experience

hashtag
Token Lifecycle Management

  • Token expiration: All tokens have defined expiration periods

  • Scope enforcement: Tokens can only perform actions within their designated scope

  • Internal token generation: Services can generate internal tokens with revised scopes for specific operations

  • Audit logging: All token usage is logged with JTI (JWT ID), User ID, thumbprint, and expiration time

hashtag
Credential handling

Taloflow does not store user passwords in human-readable form.

User authentication and credential storage are handled by Auth0.

PreviousPlatform ControlsNextAuthorization & Permissions

Last updated

Was this helpful?