AegisAegis
Dashboard
AegisAegis Developer Portal

Developer Search

Press ⌘K or Ctrl+K to jump through guides and public API docs for user-owned master key and scoped credential flows.

Security Controls

Self-Serve Security Controls

Concrete controls for token issuance, selector-scoped access, key management, and incident response. Use this as the operational baseline for MCP broker deployments.

Token Scope Policy

Selector-Bound Grants

Minted tokens must include action + resource selector. Action-only scopes are rejected at issuance and runtime authorization gates.

Proof Binding

Sender-Constrained Access

Every lease action requires request-level DPoP or mTLS proof tied to `pop_key_id`/fingerprint and replay checks.

Containment

Fast Revocation

Revoke compromised API tokens, leases, and DPoP keys independently. Keep blast radius limited to exact selectors and principals.

Allowed Scope Shapes

credential.lease.create:provider:gcp:app:billing-prod:account:deploy-bot
credential.lease.redeem:provider:gcp:app:billing-prod:account:deploy-bot
credential.lease.revoke:provider:aws:app:payments:account:breakglass
  • Enforce explicit action values: `create`, `redeem`, `revoke`.
  • Bind provider, app, and account in every credential selector.
  • Reject selectors crossing tenant boundary during policy evaluation.

Rejected Scope Shapes

credential.lease.create
credential.lease.redeem:provider:gcp:app:*
credential.lease.revoke:provider:*
  • Reject wildcard selectors for user-minted tokens.
  • Reject action-only permissions without target selector binding.
  • Deny unknown scope prefixes and audit the attempted escalation.

Token Lifecycle Controls

  1. Keep API token TTL between 1 and 15 minutes.
  2. Store tokens in memory only; never write long-lived bearer tokens to disk.
  3. Require nonce/jti replay checks for exchange and lease calls.
  4. Rotate keys regularly and force key revocation on suspicious proof failures.
  5. Expire bootstrap artifacts aggressively (target under 5 minutes).

DPoP Key Rotation

1. Register new DPoP JWK (new kid) in control plane.
2. Mint replacement broker token bound to new pop_key_id.
3. Prove traffic shift: >95% requests signed by new kid.
4. Revoke old key and deny old kid at verification gate.
5. Audit-check for residual requests signed by retired key.

Rotation should be no-downtime: dual-key acceptance window, measurable traffic cutover, then strict retirement of old key IDs.

Auth Onboarding

Setup details for user and workload authentication paths with scoped token minting.

Open Auth Docs

Security Model

Architectural view of SPIFFE bootstrap, proof binding, and policy enforcement.

Open Security Model

Error Handling

Runtime errors and remediation paths for denied scopes, replay protection, and stale artifacts.

Open Error Catalog