Auth: hbf-lcg

Overview

hbf-lcg uses JWT for inbound authentication and Bearer tokens for outbound service calls. It does not issue tokens.

Inbound Authentication

JWTGuard (upstream endpoints)

All upstream endpoints (gateway-upstream.controller.ts) are protected by @UseGuards(JWTGuard).

Algorithm: HS256
Secret: JWT_SECRET env var
Validation: Verifies signature and checks that the sub claim matches JWT_SUB env var
Token source: Authorization: Bearer <token> header

Downstream Helvia Events

Events from hbf-lcm (POST /events/helvia-livechat) are verified via JWT in DownstreamHelviaService. The JWT is extracted from the event payload and validated against JWT_SECRET.

Downstream External Events

Events from Cisco, Genesys, and Zendesk (POST /events/:alias) are not JWT-protected. Authentication relies on the alias routing and provider-specific validation within each downstream service.

Outbound Authentication

Target	Auth Method	Config
hbf-core	Bearer token	`HBF_CORE_API_TOKEN` env var
hbf-lcm	Bearer token	`HBF_LCM_TOKEN` env var
hbf-bot	None	Direct HTTP POST
Genesys Cloud	OAuth2 client credentials	Per-tenant plugin config (clientId, clientSecret, region)
Cisco WebEx	API credentials	Per-tenant plugin config
Zendesk	API credentials	Per-tenant plugin config

Guard Location

src/guards/jwt.guard.ts -- JWTGuard implementation
src/features/auth/auth.service.ts -- JWT token verification logic

Overview​

Inbound Authentication​

JWTGuard (upstream endpoints)​

Downstream Helvia Events​

Downstream External Events​

Outbound Authentication​

Guard Location​