Defines the identity architecture for all Lux and Hanzo services. Hanzo IAM (hanzo.id) is the single OIDC provider. All authenticated services validate JWTs issued by IAM. The owner claim in the JWT scopes all data queries to the organization. No service maintains its own user database.
Client -> Hanzo IAM (hanzo.id) -> JWT (id_token + access_token)
Client -> Service API (Bearer token) -> Validate JWT -> Extract org from owner claim
Access tokens are JWTs signed with RS256. Claims:
Every Lux service MUST:
1. Validate the JWT signature against IAM's JWKS endpoint (hanzo.id/.well-known/jwks.json).
2. Check exp and aud claims.
3. Extract owner from the JWT and scope all database queries to that organization.
4. Reject tokens with missing or empty owner.
The API gateway (api.hanzo.ai) validates tokens at the edge and injects X-Hanzo-User and X-Hanzo-Org headers. Backend services behind the gateway may trust these headers without re-validating the JWT.
1. Tokens are short-lived (15 minutes). Refresh tokens are rotated on each use.
2. All secrets (client IDs, signing keys) are stored in KMS (kms.hanzo.ai).
3. PKCE is mandatory for all public clients. No implicit flow.
4. Token revocation is supported via the revocation endpoint.
github.com/hanzoai/iam |github.com/hanzoai/gateway |Copyright (C) 2020-2026, Lux Partners Limited. All rights reserved.
Licensed under the MIT License.