Auth: hbf-event-publisher
How this service handles authentication.
Full flows: docs/architecture/auth-flows.md
Tokens This Service Accepts
| Token type | Where validated | Guard / middleware |
|---|
| User JWT | hbf-core /users/me | HBFGuard |
| Local JWT | Local validation, sub claim must match JWT_SUB env var | JWTGuard |
Tokens This Service Sends
| Calling | Token used | How attached |
|---|
| hbf-core | Caller's Bearer token (passthrough) | HBFGuard forwards the incoming Authorization header to GET /users/me |
Tokens This Service Issues
None.
Roles / Scopes Enforced
| Endpoint pattern | Required role |
|---|
| All guarded endpoints | Validated via HBFGuard or JWTGuard (no additional role checks) |
Auth Notes
- JWTGuard validates the JWT
sub claim against the JWT_SUB env var. This is a shared pattern with hbf-lcm, used for internal/trusted callers.
- HBFGuard delegates token validation to hbf-core by calling
/users/me.
- Config:
CORE_URL (hbf-core base URL), JWT_SUB (expected subject for local JWT validation). The service does not use its own outbound token; HBFGuard passes through the caller's Bearer token.