Security
Security is enforced uniformly across every interface. The same authorization decision applies whether a request arrives via REST, MCP or the CLI.
Authentication
Kavach Studio authenticates users with Keycloak using OpenID Connect. The browser sends the short-lived access token as a bearer token to the REST API, where it is validated on every request.
Keycloak Flow
- 01validate actor token
Keycloak-issued access tokens establish the runtime actor identity.
- 02resolve permission scope
The requested operation is checked against the caller’s assigned scopes.
- 03enforce tenant boundary
Every read and write remains constrained to the caller’s tenant.
- 04record the mutation
The actor, action and outcome become queryable audit evidence.
governed outcome
AUTHORIZED
Token validated · tenant isolated · mutation attributable
The bootstrap administrator is used only during startup to provision the initial tenant. Runtime actor identity comes from the authenticated token, not from the bootstrap environment variable.
Authorization
Authorization is centralized. Every action resolves to a permission check against the caller's scopes before any state is read or written, so the rules cannot drift between interfaces.
Deny by default
Absent an explicit grant, access is denied. New capabilities are opt-in rather than opt-out.Tenant Isolation
Every record is tenant-scoped and every query is filtered by the caller's tenant. Cross-tenant access is impossible through the normal data path — it is not merely discouraged by convention.
Data Protection
- Encryption in transit for all interfaces.
- Encryption at rest for relational, graph and audit stores.
- Secrets resolved through the settings control plane, never inlined.
Auditability
Because every mutation is recorded in the append-only audit log with its actor and outcome, security review is a query rather than an investigation.
