Authentication

BitzOrcas uses a three-scheme authentication model with automatic forwarding based on request headers. The PolicyScheme (MultiScheme) selects the correct handler based on which header is present.

Scheme forwarding

Request arrives
       │
       ├── Has X-Signature header? → HMAC scheme
       ├── Has X-API-Key header?   → API Key scheme
       └── Otherwise               → JWT Bearer scheme

JWT Bearer (User callers)

For interactive user authentication:

{
  "Jwt": {
    "Secret": "your-secret-at-least-32-characters-long",
    "Issuer": "bitzorcas-api",
    "Audience": "bitzorcas-client"
  }
}

JWT claims

HMAC (Application callers)

For server-to-server authentication:

{
  "Hmac": {
    "Clients": {
      "service-a": "shared-secret-here",
      "service-b": "another-secret"
    }
  }
}

HMAC request signing

1. Client constructs canonical request string
2. Computes HMAC-SHA256 with shared secret
3. Sends X-Signature: {timestamp}.{signature}
4. Server validates signature and nonce (anti-replay)

API Key (Application callers)

Simple key-based authentication for service integration:

{
  "ApiKeys": {
    "boa_integration-key": {
      "KeyPrefix": "boa",
      "TenantId": "100",
      "Scopes": ["tickets.read", "tickets.write"]
    }
  }
}

Development test fixtures

Only in Development mode, test credentials are injected:

• HMAC: test-client with secret test-secret
• API Key: boa_test_integration-key with sandbox scopes

See also

• Auth flow diagram — Visual authentication flow
• Webhook signing — HMAC webhook verification
• Authorization — Policy-based access control