Authentication in the Control Plane

This page covers how the Control Plane validates inbound requests and how services authenticate with each other across the platform.

Inbound Request Validation

Every API call to the Control Plane must carry a valid Keycloak access token. The Control Plane validates the token on every request — checking the signature, expiry, and the issuing realm. Requests without a valid token are rejected before reaching any business logic.

Service-to-Service Authentication

Internal services on the Cogrion side communicate using tokens issued by Keycloak for service accounts, combined with mutual TLS (mTLS) for transport-level verification. No service trusts another based on network location alone.

Cluster Agent Authentication

The Cluster Agent authenticates to the Control Plane using a certificate issued at workspace provisioning time. The Control Plane validates this certificate on every poll request. The agent never uses user-level tokens — it has its own identity scoped to the specific tenant workspace it belongs to.

Go Deeper

Core Platform → Keycloak
Core Platform → Control Plane
Token Exchange and Data Access

Inbound Request Validation​

Service-to-Service Authentication​

Cluster Agent Authentication​

Go Deeper​

Inbound Request Validation

Service-to-Service Authentication

Cluster Agent Authentication

Go Deeper