-
Notifications
You must be signed in to change notification settings - Fork 0
Use Cases Resource Server Token Validation
Osvaldo Andrade edited this page Feb 12, 2026
·
3 revisions
Validate Tikti-issued access tokens in downstream APIs.
- Resource server (for example, codeQ API)
- Tikti JWKS endpoint
- Resource server knows expected issuer and allowed audiences.
- Resource server can fetch and cache Tikti JWKS.
- Client sends bearer token to resource server.
- Resource server parses token header and resolves
kid. - Resource server fetches or reuses cached key material from
/.well-known/jwks.json. - Signature is validated with RS256 public key.
- Claims are validated:
iss,aud,exp, and required scopes. - Tenant claim (
tid) is used to enforce tenant isolation. - Request is accepted only if all checks pass.
sequenceDiagram
participant C as Client
participant R as Resource Server
participant J as Tikti JWKS
C->>R: API request with Bearer token
R->>R: Parse header and resolve kid
alt JWKS key not cached
R->>J: GET /.well-known/jwks.json
J-->>R: JWKS keys
end
R->>R: Validate RS256 signature
R->>R: Validate iss/aud/exp/scope/tid
alt Valid token and claims
R-->>C: 2xx authorized response
else Invalid token or claims
R-->>C: 401/403 denied response
end
- Invalid or forged tokens are rejected deterministically.
- Tokens with wrong
audorissare rejected. - Expired tokens are rejected without ambiguity.
- Unknown
kidwith stale cache -> JWKS refresh required, then reject if unresolved. - Missing required scope -> forbidden.
- Missing or invalid tenant context -> forbidden for tenant-scoped operations.