Security

Authentication

Authentication methods and identity management in Kinotic.

Overview

Kinotic supports multiple authentication methods to secure your applications at every level of the platform.

Authentication Methods

Email and Password — Built-in user management with secure credential storage. Ideal for getting started quickly or for applications that manage their own user base.
OIDC Providers — Connect any standard OpenID Connect provider including Google, GitHub, Microsoft, Okta, and others. OIDC configurations can be named and shared across applications within an organization.

Authorization Hierarchies

Kinotic organizes authorization into three distinct levels:

System Level

For Kinotic OS administrators who manage the platform itself. System-level access controls who can create organizations, manage infrastructure, and configure platform-wide settings.

Organization Level

For development teams building applications. Organization-level access controls who can create and manage applications, configure OIDC providers, view observability data, and manage team members.

For end-users and machine-to-machine connections to deployed applications. Application-level access is governed by the policies you define using @AbacPolicy decorators on your services and entities.

Connecting with Authentication

Email and Password

Use the connectHeaders option to provide credentials when connecting to a Kinotic server:

import { Kinotic } from '@kinotic-ai/core'

await Kinotic.connect({
    host: 'localhost',
    port: 58503,
    connectHeaders: {
        login: 'user@example.com',
        passcode: 'password'
    }
})

Dynamic Authentication Headers

For token-based authentication (e.g., JWT tokens from an OIDC provider), pass an async function that returns headers. This allows tokens to be refreshed automatically:

import { Kinotic } from '@kinotic-ai/core'

await Kinotic.connect({
    host: 'localhost',
    port: 58503,
    connectHeaders: async () => ({
        Authorization: `Bearer ${await getToken()}`
    })
})

Policy-Based Authorization

Once authenticated, authorization is handled by the platform. Policies are applied declaratively using decorators on your services and entities — no authorization logic in your application code.

See Access Control for details on writing ABAC policies.

Edit this pageorReport an issue

Access Control

Attribute-Based Access Control (ABAC) for published services and entity data.

Deployment Workflow

The Kinotic deployment pipeline from development to production.