Auth model
Sumvin has three auth primitives. They are not interchangeable — each one fits a specific surface and caller.The three primitives
| Credential | Header | Issued by | Used on |
|---|---|---|---|
| Auth-provider JWT | x-juno-jwt | Dynamic, Privy, or (your choice) | Platform API — acting on behalf of a signed-in user |
| SIS API key | Authorization: Bearer <key> | Sumvin (partner onboarding) | SIS — calling as a registered partner |
| PINT JWT | x-sumvin-pint-token | SIS (on token exchange) | Inbound to verifiers — a user’s credential presented to you |
Decision tree
- I’m calling the Platform API on behalf of a user I authenticated → auth-provider JWT in
x-juno-jwt. - I’m exchanging a signed PINT, fetching JWKS, or looking up a user by SRI at SIS → SIS API key.
- I’m receiving a credential from a user’s browser or agent on an inbound request → PINT JWT (I verify it; I don’t issue it).
What each credential proves
- The auth-provider JWT proves the caller is an authenticated user of your app.
- The SIS API key proves the caller is a registered Sumvin partner with known permissions.
- The PINT JWT proves a specific user signed a specific authorisation, attested by SIS.
See also
- Platform API authentication — how
x-juno-jwtworks - SIS Dashboard authentication model — how auth providers attach to environments
- Identity authentication — issuer, audience, key identifiers
- Verifier headers — every header on an inbound verifier request