← Return to Selected Works

Veil Auth

CA-CENTRAL-1SHA-256: Y5Z6A7IN DEV

Veil Auth is the identity and access management service powering the administrative interfaces across the cluster. It issues short-lived JWTs, scoped API tokens for service-to-service calls, and enforces biometric second-factor for privileged operations.

Token Architecture

Access tokens are valid for 15 minutes. Refresh tokens are stored as opaque references in Redis with a 7-day TTL. Revoking a refresh token is an O(1) operation — delete the Redis key.

func (s *TokenService) Issue(ctx context.Context, subject string, scopes []string) (*TokenPair, error) {
    claims := jwt.MapClaims{
        "sub":    subject,
        "scopes": scopes,
        "exp":    time.Now().Add(15 * time.Minute).Unix(),
        "jti":    uuid.New().String(),
    }
    access, _ := s.key.Sign(claims)

    refreshID := uuid.New().String()
    s.redis.SetEx(ctx, "refresh:"+refreshID, subject, 7*24*time.Hour)

    return &TokenPair{Access: access, RefreshID: refreshID}, nil
}

Biometric Second Factor

WebAuthn handles the biometric flow. The server stores credential public keys, never any biometric data. Browser passkeys and hardware security keys are both supported. The fallback for non-WebAuthn clients is TOTP.

Audit Log

Every authentication event, token issue, and access denial is written to an append-only audit log in Postgres with a cryptographic hash chain — each record includes the hash of the previous record, making retroactive tampering detectable.

Status

Running in production, protecting 6 administrative interfaces. Planning a self-service credential management UI for the next release.