Operational modes
Authentication is treated as a toggleable effect. The mode is determined strictly by theAUTH_TYPE environment variable.
Strict Mode
auth0 · keycloak · customThe service acts as a gatekeeper. All protected endpoints require a valid Bearer token in the Authorization header.Guest Mode
noopThe security layer defaults to a no-op provider, permitting all requests without validation. All authentication checks are skipped.Performance and caching
To maintain sub-millisecond overhead, the validation logic avoids synchronous round-trips to the Identity Provider on every request. Instead, it uses a dual-layer in-memory strategy.L1 — Session cache
Once a JWT is cryptographically verified, its valid state is cached until the token’s natural expiration (
exp claim). Subsequent requests with the same token bypass signature verification entirely.L2 — JWKS cache
Public keys (JSON Web Key Set) needed for verification are cached long-term and refreshed only if a token references an unknown Key ID (
kid) — handling key rotation automatically.