IssueContextToken mints a short-lived signed JWT carrying on-behalf-of authority over an organization.
POST/internal/v1/auth/token-exchange
Callable only by in-cluster workloads; enforcement is provided by: (a) Cilium mTLS peer identity match (Phase B of the workload-identity plan) (b) server-side allowlist of acting workload identities per proof type
Errors
- UNAUTHENTICATED: missing or invalid workload identity
- INVALID_ARGUMENT: malformed proof or missing required fields
- PERMISSION_DENIED: acting workload not allowed to mint for this proof type or audience; DID→org mismatch; webhook signature verification failed
- NOT_FOUND: DID or channel config not found
Request
Responses
- 200
- default
A successful response.
An unexpected error response.