Skip to main content

Auth: hbf-nlp

How this service handles authentication. Full flows: docs/architecture/auth-flows.md

Tokens This Service Accepts

Token type	Where validated	Guard / middleware
User JWT	Remote validation via hbf-core `/users/me`	HBFGuard
Local JWT	Local verification (signing key)	JWTGuard

Tokens This Service Sends

Calling	Token used	How attached
hbf-core (via hbf-core-api library)	`HBF_CORE_API_TOKEN` env var	Bearer header

Tokens This Service Issues

None.

Roles / Scopes Enforced

Endpoint pattern	Required role
Org-admin endpoints	HBF_ORG_ADMIN (via MemberOrgRoleGuard)
Org-editor endpoints	HBF_ORG_EDITOR (via MemberOrgRoleGuard)
Org-viewer endpoints	HBF_ORG_VIEWER (via MemberOrgRoleGuard)
Tenant-admin endpoints	HBF_TENANT_ADMIN (via CanManageTenantGuard)
Tenant-editor endpoints	HBF_TENANT_EDITOR (via CanEditTenantGuard)
Tenant-viewer endpoints	HBF_TENANT_VIEWER (via CanReadTenantGuard)
Moderator-only endpoints	isModerator (via ModeratorGuard)

Auth Notes

Full RBAC enforcement at both org and tenant levels. No public endpoints exist.
HBFGuard calls hbf-core /users/me to validate the user JWT and retrieve user details.
Guards available: HBFGuard, JWTGuard, MemberOrgRoleGuard, CanEditTenantGuard, CanManageTenantGuard, CanReadTenantGuard, ModeratorGuard.
Env config: HBF_CORE_API_TOKEN (service token for hbf-core calls), HBF_CORE_URL (hbf-core base URL).

Tokens This Service Accepts
Tokens This Service Sends
Tokens This Service Issues
Roles / Scopes Enforced
Auth Notes