Orchestrate uses the OpenID Connect(OIDC) authentication protocol. JSON Web Tokens (JWTs) with custom claims control access to tenant resources.
Orchestrate is not an identity provider and does not generate JWTs in production. In production, use an identity provider such as Auth0 to generate JWTs.
Set the environment variables
| ||Set to |
| ||The namespace for custom JWT claim. For example, |
| ||The public key of the identity provider (Auth0, for example).|
| ||The secret enabling internal microservice to microservice communication to bypass JWT authentication.|
An example JWT for Orchestrate multi-tenancy is displayed below.
The custom part of the claim is the namespace defined by the
AUTH_JWT_CLAIMS_NAMESPACE environment variable and the
The tenant ID is specified only in the JWT. That is, it is not configured in Orchestrate. When you enable multi-tenancy, all requests require an authorization token so resources (for example, accounts) are associated with a tenant ID on creation. Authenticated requests return only resources linked to the tenant ID.
Specify the JWT to authorize Orchestrate API requests.
Testing and demonstration
For testing and demonstration purposes only, use the
AUTH_JWT_PRIVATE_KEY environment variable to specify the private key associated with the public key specified by