Auth and Token Contract

This is the canonical authentication contract for DriftGate V4.

Operator runbook: Operator Auth + Token Runbook External operator flow: External Operator Quickstart Security review flow: Security Review Quickstart

Runtime APIs

Endpoints: POST /v4/sessions.start, POST /v4/sessions/{sessionId}/executions.execute, POST /v4/execute
Required auth: Authorization: Bearer <session-token>
Credential source:
- CLI human flow: driftgate login (device login)
- Programmatic flow: session token issued by your identity flow

Admin and Config APIs

Surfaces: policies, routes, connectors, secrets, webhooks, access-control operations
Required auth: x-driftgate-api-key: <dgk_...>
Credential source: service-account token minted from Access Control in the app

Token Prefixes

dg_sa_*: service-account identifier (not a secret, never valid as auth)
dgk_*: service-account token secret (valid for admin/config APIs)
Session token (bearer): valid for runtime session/execute

Expected Failure Modes

Using dgk_* on runtime session/execute: AUTH_INVALID / missing session token
Using dg_sa_* as API key: invalid API key / invalid credential type
Using session token on admin-only mutation without proper role/scope: forbidden

Internal Admin Boundary

admin.driftgate.ai is internal-only and requires platform-admin.
Customer workspace admins do not have access to internal platform admin routes.

Last updated on March 12, 2026

Agent Integration Operator Auth Runbook