> For the complete documentation index, see [llms.txt](https://docs.taloflow.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.taloflow.ai/security/platform-controls/authentication-and-access-control.md). # Authentication & Access Control ### Zero Trust Architecture Taloflow implements a zero-trust security model where all requests require explicit authentication and authorization: * **All API requests** require either machine-to-machine (M2M) tokens or user authentication tokens * **Token scoping**: Each token is limited to specific permissions and has defined expiration times * **Service-to-service authentication**: Managed through Open Policy Agent (OPA) * **JWT verification**: Requests are verified using signed JSON Web Tokens (JWTs) ### Open Policy Agent (OPA) Implementation We use OPA (see [Authorization & Permissions](/security/platform-controls/authorization-and-permissions.md)) as our centralized authorization system for all API requests: * **Scope-based access control**: Every request is evaluated against token scopes and user permissions * **Service identity verification**: All services must prove their identity before accessing resources * **Request authorization flow**: Each API call passes through OPA evaluation before reaching application logic * **Centralized policy management**: Authorization rules are maintained in a single, auditable location ### Failed Authentication Handling Taloflow follows security best practices for authentication failures: * **Auth0-managed responses**: All authentication is handled through Auth0's secure infrastructure * **Standard error messages**: Failed authentication attempts receive generic error messages that do not disclose information about valid usernames or account details * **Silent failure patterns**: Security-sensitive operations fail without revealing the reason for failure to potential attackers * **Separate error handling**: API authentication errors are handled differently from UI authentication to optimize both security and user experience ### Token Lifecycle Management * **Token expiration**: All tokens have defined expiration periods * **Scope enforcement**: Tokens can only perform actions within their designated scope * **Internal token generation**: Services can generate internal tokens with revised scopes for specific operations * **Audit logging**: All token usage is logged with JTI (JWT ID), User ID, thumbprint, and expiration time ### Credential handling Taloflow does not store user passwords in human-readable form. User authentication and credential storage are handled by Auth0. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.taloflow.ai/security/platform-controls/authentication-and-access-control.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.