Auth: hbf-session-manager
How this service handles authentication.
Full flows: docs/architecture/auth-flows.md
Tokens This Service Accepts
| Token type | Where validated | Guard / middleware |
|---|
| User JWT | Remote validation via hbf-core /users/me (with optional error handling) | HBFGuard |
Tokens This Service Sends
| Calling | Token used | How attached |
|---|
| hbf-core | CORE_TOKEN env var | Bearer header |
| hbf-event-publisher | CORE_TOKEN env var | Bearer header |
| hbf-nlp | CORE_TOKEN env var | Bearer header |
Tokens This Service Issues
None.
Roles / Scopes Enforced
| Endpoint pattern | Required role |
|---|
| Admin or moderator endpoints | HBF_ORG_ADMIN or isModerator (via OrgAdminOrModeratorGuard) |
Auth Notes
- HBFGuard supports an optional error handling mode. When enabled, auth failures do not immediately reject the request but are handled gracefully (e.g., for endpoints that behave differently for authenticated vs unauthenticated callers).
- The same
CORE_TOKEN is used for outbound calls to multiple downstream services: hbf-core, hbf-event-publisher, and hbf-nlp.
- Env config:
CORE_URL (hbf-core base URL), CORE_TOKEN (service token for downstream calls), ENV (environment identifier).