.agents/contexts/authentication/CONTEXT.md
How identities log in and what they're allowed to do: federated and embedded auth, RBAC, audit trails, and secret storage.
UserIdentity: The authentication identity record (email, password hash, provider, verified flag) — one identity can map to users across multiple platforms. Avoid: account, identity
tokenVersion: An incrementing counter on UserIdentity; bumping it invalidates all existing JWT sessions for that identity.
OTP: A one-time password (10-min expiry) used for email verification and password reset flows. Avoid: verification code
Federated Auth: Authentication via external identity providers (Google, GitHub) using OAuth2 code exchange. Avoid: social login, SSO
Managed Auth: JWT-based authentication for embedded Activepieces — exchanges an external token for an AP session with auto-provisioned user/project. Avoid: embedded auth, external token
SAML: Enterprise SSO via SAML 2.0 protocol — login request, IdP redirect, ACS callback, assertion parsing.
SCIM: SCIM 2.0 provisioning protocol that syncs users and groups from an IdP (Okta, etc.) to platform users and projects. Avoid: user provisioning, directory sync
RBAC: Role-Based Access Control — enforcement of permissions based on a user's ProjectRole within a project. Avoid: authorization, ACL
Audit Event: A persisted record of a security-relevant action (19 event types) for compliance and forensic review. Avoid: audit log entry
Secret Manager: An external vault integration (AWS Secrets Manager, HashiCorp Vault, CyberArk Conjur, 1Password) for storing connection secrets outside Activepieces. Avoid: vault, credential store