CipherStash Token Service (CTS)
Authentication and identity federation service for accessing CipherStash services like ZeroKMS
CipherStash Token Service (CTS)
CipherStash Token Service (CTS) is an authentication and identity federation service.
CTS issues tokens that grant clients access to ZeroKMS. That access is temporary, limited, and can be granularly scoped.
If you are familiar with the AWS Security Token Service (AWS STS), CTS fulfills a similar role to that.
How it works
At a high level:
- Clients authenticate to CTS
- CTS issues temporary tokens to those authenticated clients
- Those temporary tokens can be used to make requests to ZeroKMS
A client can be either CipherStash Proxy or an application using the Encryption SDK.
Tokens
Clients can authenticate to CTS via either:
The temporary tokens are, as the name suggests, temporary — they are valid for a maximum of 15 minutes.
Federation
Federation allows you to use an existing source of identities to authenticate to CTS, and onwards to ZeroKMS. This allows you to rapidly grant and revoke people's access based on your product or organisation's onboarding and offboarding processes. By default, CTS federates with CipherStash Cloud's IDP.
Bringing your own Identity Provider (IDP)
If you want to bring your own IDP to CTS, you can configure your workspace to use either Auth0, Okta, or Clerk.
Reach out to support@cipherstash.com to get your workspace configured with your own IDP and discuss your use case.
Access keys
Access keys are a persistent credential you can use for machine-to-machine access to CTS. You can create access keys in the CipherStash Dashboard.