Auth Model (dummy)
Authentication answers “who are you.” Authorization answers “what can you do.” We keep them strictly separate.
Sessions
User-facing clients use cookie-backed sessions:
HttpOnly,Secure,SameSite=Lax.- 14-day sliding expiry.
- Invalidated server-side on password change or explicit sign-out.
API tokens
Service-to-service traffic uses bearer tokens:
- Prefixed so they’re easy to spot in logs:
kb_live_.... - Scoped — every token lists the exact resources and verbs it can use.
- Rotatable without downtime: new tokens are valid immediately; old ones expire on a schedule.
Authorization
A single policy function sits in front of every handler. It takes the actor, the verb, and the resource, and returns allow or deny. There is no second place that decides access.