Auth: hbf-media-manager

How this service handles authentication. Full flows: docs/architecture/auth-flows.md

Tokens This Service Accepts

Token type	Where validated	Guard / middleware
User JWT	hbf-core /users/me	HBFGuard

Tokens This Service Sends

Calling	Token used	How attached
hbf-core	CORE_TOKEN	Authorization: Bearer <CORE_TOKEN> header

Tokens This Service Issues

None.

Roles / Scopes Enforced

Endpoint pattern	Required role
Admin endpoints	HBF_ORG_ADMIN (via AdminOrgRoleGuard)
Member endpoints	Any org role (via MemberOrgRoleGuard)

Auth Notes

• HBFGuard delegates token validation to hbf-core by calling /users/me.
• Admin endpoints require HBF_ORG_ADMIN. Member endpoints accept any active org membership, including HBF_ORG_EDITOR.
• Config: CORE_URL, CORE_TOKEN.