Authentication and Access

How PixService combines JWTs, sessions, personal access tokens, MFA, and scoped authorization.

PixService separates interactive browser sessions from external API credentials.

Browser users authenticate with password and, when MFA enforcement is enabled, MFA. The API issues a short-lived access JWT as an HttpOnly cookie and a refresh token as a separate HttpOnly cookie. The frontend never needs to read or store the JWT.

External clients authenticate with personal access tokens. A PAT is sent as Authorization: Bearer <token> on each request and is validated directly by the API.

Session State

Every browser access token is tied to a refresh-token session id. If the session is revoked, expired, or rotated anomalously, access-token validation fails even if the JWT has not reached its expiry time.

The session model supports:

  • refresh-token rotation
  • session revocation
  • deployment-level MFA enforcement
  • trusted-device MFA bypass when MFA enforcement is enabled
  • MFA completion by email or TOTP
  • admin role claims in access tokens

Authorization Scope

After authentication, controllers and application services enforce owner, organization, cluster, location, and role checks. Authentication identifies the caller; it does not by itself grant access to every resource.

On this page