Authentication

All API requests require a Bearer token in the Authorization header. Tokens are issued by Service Accounts — programmatic identities you define from the dashboard or via the /api/service-accounts endpoint.

A Service Account's policy declares both what it can do (which services it can act on) and how it authenticates. The policy is JSON validated against https://oidc.pub/schemas/service-account-policy.v1.json; point your editor at it via $schema for autocomplete and inline diagnostics.

Static tokens

A kind: "static" policy issues a long-lived bearer token, returned once in the create response. Use it for CI/CD secrets and other long-lived automation.

curl https://oidc.pub/api/services \
  -H "Authorization: Bearer oidcpub_abc123..."

OIDC federation

A kind: "oidc" policy accepts JWTs minted by an external OIDC provider (GitHub Actions, GitLab CI, Vault, your own IdP). Each rule pins an exact iss URL and matches required claims (aud, sub, and any others you list) against the token. Values support * globs, so a rule like "sub": "repo:myorg/*" covers every repo in your org.

# Forward a GitHub Actions OIDC token directly
curl https://oidc.pub/api/services/my-service \
  -H "Authorization: Bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}"

See the Service Accounts API for full policy examples.