Kaiten
Authentication

Authentication

How authentication works in Kaiten — API tokens for programmatic access.

Authentication

Kaiten uses a dual authentication model:

PathForMechanism
Identity Provider (OIDC)Human users (console, browser)JWT via Traefik middleware
API Tokens (ksh_*)Machine users (APIs, scripts, CI/CD)ForwardAuth via Traefik middleware

Both authentication paths go through Traefik and result in a Principal (UserID, OrganizationID, Scopes) being injected into the request context.

Identity Provider setup — Self-Hosted only

Configuring an Identity Provider (OIDC/Clerk) is only required if you are self-hosting Kaiten. If you are using the SaaS platform, authentication is managed for you. See the Self-Hosting section for IdP configuration guides.

How It Works

                  ┌── Clerk JWT ─────── Traefik JWT Plugin ──────────┐
                  │                                                    │
Request ──────────┤                                                    ├── Go API Handler
                  │                                                    │   (extracts Principal)
                  └── ksh_* token ──── Traefik ForwardAuth ──────────┘

                                        └── /api/tokens/validate
                                            (returns unsigned JWT)

Programmatic Access

Service Accounts & Tokens

Create machine users and API tokens for CI/CD, scripts, and integrations.

Scopes Reference

Complete list of all permission scopes.

Glossary

Quick reference for all Kaiten terms and concepts.

Service Accounts & Tokens

Create machine users and API tokens for programmatic access.

On this page

AuthenticationHow It WorksProgrammatic Access