Tenant Identity

Tenant identity (JWT-SVID issuance) and RFC 8693 token delegation.

Tenant Admins use these endpoints to enable JWT-SVID issuance for an org on a specific site, rotate the signing key, configure a token exchange callback, and serve the public JWKS / OIDC discovery documents that verifiers (OpenBao, tenant APIs, etc.) consume.

The six management endpoints (PUT / GET / DELETE on tenant-identity/config and tenant-identity/token-delegation) require an authorization role with TENANT_ADMIN suffix in the URL {org}. The three .well-known/* endpoints are public; external verifiers can fetch public keys without credentials.

PUT is a full-replace upsert: every call must include all required fields, and omitted optional fields are cleared. To pause issuance without destroying signing keys, PUT with enabled: false; to destroy the signing keypair, use DELETE. Signing keys survive enabled: false and survive non-rotation upserts, so JWKS consumers and in-flight JWTs continue to verify across pauses and attribute changes.

JWKS verifiers should treat every key in the returned set as valid and match candidates by kid — during a key-rotation overlap window two keys are present until the previous key expires. The OIDC discovery endpoint’s id_token_signing_alg_values_supported is intentionally empty because NICo issues bearer access JWTs, not OIDC id_tokens. The three public endpoints return 404 Not Found when identity material cannot be served for this org/site (unknown site, org is not a tenant, no tenant allocation on the site, or no identity configuration); the two JWKS routes additionally return 502 Bad Gateway when the Core gRPC API responds with a body that is not a parseable JWK Set.