Skip to main content

Identity and Authorization

6. Identity and Authorization

The system uses two distinct authentication contexts:

  • Web identity, used for browser-based account access
  • Device identity, used by the Client Application for runtime requests

Web identity is established through the Web Portal using an External Identity Provider. The Cloud Service validates web identity tokens before processing requests.

Device identity is established through the linking flow described in Section 5.2. After linking, the Cloud Service issues a device-bound token to the Client Application.

All authentication validation and authorization checks occur at the Cloud Service boundary. Cloud Execution Workers operate only on validated jobs and are not directly exposed to public traffic.