[{"data":1,"prerenderedAt":619},["ShallowReactive",2],{"navigation_docs":3,"-apps-security-authentication":196,"-apps-security-authentication-surround":614},[4,127,166],{"title":5,"icon":6,"path":7,"stem":8,"children":9,"page":36},"Kinotic Apps","i-lucide-rocket","\u002Fapps","1.apps",[10,14,18,37,58,91,106,122],{"title":11,"path":12,"stem":13},"Introduction","\u002Fapps\u002Fintroduction","1.apps\u002F1.introduction",{"title":15,"path":16,"stem":17},"Quick Start","\u002Fapps\u002Fquick-start","1.apps\u002F2.quick-start",{"title":19,"icon":20,"path":21,"stem":22,"children":23,"page":36},"Application Structure","i-lucide-folder-tree","\u002Fapps\u002Fapplication-structure","1.apps\u002F3.application-structure",[24,28,32],{"title":25,"path":26,"stem":27},"Overview","\u002Fapps\u002Fapplication-structure\u002Foverview","1.apps\u002F3.application-structure\u002F1.overview",{"title":29,"path":30,"stem":31},"Applications and Projects","\u002Fapps\u002Fapplication-structure\u002Fapplications-and-projects","1.apps\u002F3.application-structure\u002F2.applications-and-projects",{"title":33,"path":34,"stem":35},"Artifact Types","\u002Fapps\u002Fapplication-structure\u002Fartifact-types","1.apps\u002F3.application-structure\u002F3.artifact-types",false,{"title":38,"icon":39,"path":40,"stem":41,"children":42,"page":36},"Services","i-lucide-network","\u002Fapps\u002Fservices","1.apps\u002F4.services",[43,46,50,54],{"title":25,"path":44,"stem":45},"\u002Fapps\u002Fservices\u002Foverview","1.apps\u002F4.services\u002F1.overview",{"title":47,"path":48,"stem":49},"Publishing Services","\u002Fapps\u002Fservices\u002Fpublishing-services","1.apps\u002F4.services\u002F2.publishing-services",{"title":51,"path":52,"stem":53},"Service Proxies","\u002Fapps\u002Fservices\u002Fservice-proxies","1.apps\u002F4.services\u002F3.service-proxies",{"title":55,"path":56,"stem":57},"Streaming","\u002Fapps\u002Fservices\u002Fstreaming","1.apps\u002F4.services\u002F4.streaming",{"title":59,"icon":60,"path":61,"stem":62,"children":63,"page":36},"Persistence","i-lucide-database","\u002Fapps\u002Fpersistence","1.apps\u002F5.persistence",[64,67,71,75,79,83,87],{"title":25,"path":65,"stem":66},"\u002Fapps\u002Fpersistence\u002Foverview","1.apps\u002F5.persistence\u002F1.overview",{"title":68,"path":69,"stem":70},"Defining Entities","\u002Fapps\u002Fpersistence\u002Fdefining-entities","1.apps\u002F5.persistence\u002F2.defining-entities",{"title":72,"path":73,"stem":74},"Entity Decorators","\u002Fapps\u002Fpersistence\u002Fentity-decorators","1.apps\u002F5.persistence\u002F3.entity-decorators",{"title":76,"path":77,"stem":78},"CRUD Operations","\u002Fapps\u002Fpersistence\u002Fcrud-operations","1.apps\u002F5.persistence\u002F4.crud-operations",{"title":80,"path":81,"stem":82},"Named Queries","\u002Fapps\u002Fpersistence\u002Fnamed-queries","1.apps\u002F5.persistence\u002F5.named-queries",{"title":84,"path":85,"stem":86},"Multi-Tenancy","\u002Fapps\u002Fpersistence\u002Fmulti-tenancy","1.apps\u002F5.persistence\u002F6.multi-tenancy",{"title":88,"path":89,"stem":90},"Migrations","\u002Fapps\u002Fpersistence\u002Fmigrations","1.apps\u002F5.persistence\u002F7.migrations",{"title":92,"icon":93,"path":94,"stem":95,"children":96,"page":36},"Security","i-lucide-shield-check","\u002Fapps\u002Fsecurity","1.apps\u002F6.security",[97,101],{"title":98,"path":99,"stem":100,"icon":93},"Access Control","\u002Fapps\u002Fsecurity\u002Faccess-control","1.apps\u002F6.security\u002F1.access-control",{"title":102,"path":103,"stem":104,"icon":105},"Authentication","\u002Fapps\u002Fsecurity\u002Fauthentication","1.apps\u002F6.security\u002F2.authentication","i-lucide-key-round",{"title":107,"icon":108,"path":109,"stem":110,"children":111,"page":36},"Deployment","i-lucide-cloud-upload","\u002Fapps\u002Fdeployment","1.apps\u002F7.deployment",[112,117],{"title":113,"path":114,"stem":115,"icon":116},"Deployment Workflow","\u002Fapps\u002Fdeployment\u002Fworkflow","1.apps\u002F7.deployment\u002F1.workflow","i-lucide-git-branch",{"title":118,"path":119,"stem":120,"icon":121},"Environments","\u002Fapps\u002Fdeployment\u002Fenvironments","1.apps\u002F7.deployment\u002F2.environments","i-lucide-server",{"title":123,"path":124,"stem":125,"icon":126},"CLI Reference","\u002Fapps\u002Fcli-reference","1.apps\u002F8.cli-reference","i-lucide-terminal",{"title":128,"icon":121,"path":129,"stem":130,"children":131,"page":36},"Kinotic OS","\u002Fplatform","2.platform",[132,137,141,146,151,156,161],{"title":133,"path":134,"stem":135,"icon":136},"System Architecture","\u002Fplatform\u002Farchitecture","2.platform\u002F1.architecture","i-lucide-boxes",{"title":138,"path":139,"stem":140,"icon":6},"Deployment Guide","\u002Fplatform\u002Fdeployment-guide","2.platform\u002F2.deployment-guide",{"title":142,"path":143,"stem":144,"icon":145},"Configuration","\u002Fplatform\u002Fconfiguration","2.platform\u002F3.configuration","i-lucide-settings",{"title":147,"path":148,"stem":149,"icon":150},"Organization Management","\u002Fplatform\u002Forganization-management","2.platform\u002F4.organization-management","i-lucide-building-2",{"title":152,"path":153,"stem":154,"icon":155},"System Security","\u002Fplatform\u002Fsystem-security","2.platform\u002F5.system-security","i-lucide-shield",{"title":157,"path":158,"stem":159,"icon":160},"Observability","\u002Fplatform\u002Fobservability","2.platform\u002F6.observability","i-lucide-activity",{"title":162,"path":163,"stem":164,"icon":165},"Contributing","\u002Fplatform\u002Fcontributing","2.platform\u002F7.contributing","i-lucide-git-pull-request",{"title":167,"icon":168,"path":169,"stem":170,"children":171,"page":36},"Reference","i-lucide-book-open","\u002Freference","3.reference",[172,177,181,186,191],{"title":173,"path":174,"stem":175,"icon":176},"Decorators Reference","\u002Freference\u002Fdecorators","3.reference\u002F1.decorators","i-lucide-at-sign",{"title":178,"path":179,"stem":180,"icon":60},"Migration SQL Grammar","\u002Freference\u002Fmigration-sql-grammar","3.reference\u002F2.migration-sql-grammar",{"title":182,"path":183,"stem":184,"icon":185},"ABAC Expression Language","\u002Freference\u002Fabac-expression-language","3.reference\u002F3.abac-expression-language","i-lucide-file-code",{"title":187,"path":188,"stem":189,"icon":190},"CRI Format","\u002Freference\u002Fcri-format","3.reference\u002F4.cri-format","i-lucide-link",{"title":192,"path":193,"stem":194,"icon":195},"SDK Packages","\u002Freference\u002Fsdk-packages","3.reference\u002F5.sdk-packages","i-lucide-package",{"id":197,"title":102,"body":198,"description":607,"extension":608,"links":609,"meta":610,"navigation":611,"path":103,"seo":612,"stem":104,"__hash__":613},"docs\u002F1.apps\u002F6.security\u002F2.authentication.md",{"type":199,"value":200,"toc":592},"minimark",[201,205,209,214,231,235,238,242,245,249,252,256,264,268,271,278,441,445,448,574,578,581,588],[202,203,25],"h2",{"id":204},"overview",[206,207,208],"p",{},"Kinotic supports multiple authentication methods to secure your applications at every level of the platform.",[210,211,213],"h3",{"id":212},"authentication-methods","Authentication Methods",[215,216,217,225],"ul",{},[218,219,220,224],"li",{},[221,222,223],"strong",{},"Email and Password"," — Built-in user management with secure credential storage. Ideal for getting started quickly or for applications that manage their own user base.",[218,226,227,230],{},[221,228,229],{},"OIDC Providers"," — Connect any standard OpenID Connect provider including Google, GitHub, Microsoft, Okta, and others. OIDC configurations can be named and shared across applications within an organization.",[202,232,234],{"id":233},"authorization-hierarchies","Authorization Hierarchies",[206,236,237],{},"Kinotic organizes authorization into three distinct levels:",[210,239,241],{"id":240},"system-level","System Level",[206,243,244],{},"For Kinotic OS administrators who manage the platform itself. System-level access controls who can create organizations, manage infrastructure, and configure platform-wide settings.",[210,246,248],{"id":247},"organization-level","Organization Level",[206,250,251],{},"For development teams building applications. Organization-level access controls who can create and manage applications, configure OIDC providers, view observability data, and manage team members.",[210,253,255],{"id":254},"application-level","Application Level",[206,257,258,259,263],{},"For end-users and machine-to-machine connections to deployed applications. Application-level access is governed by the policies you define using ",[260,261,262],"code",{},"@AbacPolicy"," decorators on your services and entities.",[202,265,267],{"id":266},"connecting-with-authentication","Connecting with Authentication",[210,269,223],{"id":270},"email-and-password",[206,272,273,274,277],{},"Use the ",[260,275,276],{},"connectHeaders"," option to provide credentials when connecting to a Kinotic server:",[279,280,285],"pre",{"className":281,"code":282,"language":283,"meta":284,"style":284},"language-typescript shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","import { Kinotic } from '@kinotic-ai\u002Fcore'\n\nawait Kinotic.connect({\n    host: 'localhost',\n    port: 58503,\n    connectHeaders: {\n        login: 'user@example.com',\n        passcode: 'password'\n    }\n})\n","typescript","",[260,286,287,320,327,348,369,383,394,411,426,432],{"__ignoreMap":284},[288,289,292,296,300,304,307,310,313,317],"span",{"class":290,"line":291},"line",1,[288,293,295],{"class":294},"s7zQu","import",[288,297,299],{"class":298},"sMK4o"," {",[288,301,303],{"class":302},"sTEyZ"," Kinotic",[288,305,306],{"class":298}," }",[288,308,309],{"class":294}," from",[288,311,312],{"class":298}," '",[288,314,316],{"class":315},"sfazB","@kinotic-ai\u002Fcore",[288,318,319],{"class":298},"'\n",[288,321,323],{"class":290,"line":322},2,[288,324,326],{"emptyLinePlaceholder":325},true,"\n",[288,328,330,333,335,338,342,345],{"class":290,"line":329},3,[288,331,332],{"class":294},"await",[288,334,303],{"class":302},[288,336,337],{"class":298},".",[288,339,341],{"class":340},"s2Zo4","connect",[288,343,344],{"class":302},"(",[288,346,347],{"class":298},"{\n",[288,349,351,355,358,360,363,366],{"class":290,"line":350},4,[288,352,354],{"class":353},"swJcz","    host",[288,356,357],{"class":298},":",[288,359,312],{"class":298},[288,361,362],{"class":315},"localhost",[288,364,365],{"class":298},"'",[288,367,368],{"class":298},",\n",[288,370,372,375,377,381],{"class":290,"line":371},5,[288,373,374],{"class":353},"    port",[288,376,357],{"class":298},[288,378,380],{"class":379},"sbssI"," 58503",[288,382,368],{"class":298},[288,384,386,389,391],{"class":290,"line":385},6,[288,387,388],{"class":353},"    connectHeaders",[288,390,357],{"class":298},[288,392,393],{"class":298}," {\n",[288,395,397,400,402,404,407,409],{"class":290,"line":396},7,[288,398,399],{"class":353},"        login",[288,401,357],{"class":298},[288,403,312],{"class":298},[288,405,406],{"class":315},"user@example.com",[288,408,365],{"class":298},[288,410,368],{"class":298},[288,412,414,417,419,421,424],{"class":290,"line":413},8,[288,415,416],{"class":353},"        passcode",[288,418,357],{"class":298},[288,420,312],{"class":298},[288,422,423],{"class":315},"password",[288,425,319],{"class":298},[288,427,429],{"class":290,"line":428},9,[288,430,431],{"class":298},"    }\n",[288,433,435,438],{"class":290,"line":434},10,[288,436,437],{"class":298},"}",[288,439,440],{"class":302},")\n",[210,442,444],{"id":443},"dynamic-authentication-headers","Dynamic Authentication Headers",[206,446,447],{},"For token-based authentication (e.g., JWT tokens from an OIDC provider), pass an async function that returns headers. This allows tokens to be refreshed automatically:",[279,449,451],{"className":281,"code":450,"language":283,"meta":284,"style":284},"import { Kinotic } from '@kinotic-ai\u002Fcore'\n\nawait Kinotic.connect({\n    host: 'localhost',\n    port: 58503,\n    connectHeaders: async () => ({\n        Authorization: `Bearer ${await getToken()}`\n    })\n})\n",[260,452,453,471,475,489,503,513,534,561,568],{"__ignoreMap":284},[288,454,455,457,459,461,463,465,467,469],{"class":290,"line":291},[288,456,295],{"class":294},[288,458,299],{"class":298},[288,460,303],{"class":302},[288,462,306],{"class":298},[288,464,309],{"class":294},[288,466,312],{"class":298},[288,468,316],{"class":315},[288,470,319],{"class":298},[288,472,473],{"class":290,"line":322},[288,474,326],{"emptyLinePlaceholder":325},[288,476,477,479,481,483,485,487],{"class":290,"line":329},[288,478,332],{"class":294},[288,480,303],{"class":302},[288,482,337],{"class":298},[288,484,341],{"class":340},[288,486,344],{"class":302},[288,488,347],{"class":298},[288,490,491,493,495,497,499,501],{"class":290,"line":350},[288,492,354],{"class":353},[288,494,357],{"class":298},[288,496,312],{"class":298},[288,498,362],{"class":315},[288,500,365],{"class":298},[288,502,368],{"class":298},[288,504,505,507,509,511],{"class":290,"line":371},[288,506,374],{"class":353},[288,508,357],{"class":298},[288,510,380],{"class":379},[288,512,368],{"class":298},[288,514,515,517,519,523,526,529,532],{"class":290,"line":385},[288,516,388],{"class":340},[288,518,357],{"class":298},[288,520,522],{"class":521},"spNyl"," async",[288,524,525],{"class":298}," ()",[288,527,528],{"class":521}," =>",[288,530,531],{"class":302}," (",[288,533,347],{"class":298},[288,535,536,539,541,544,547,550,552,555,558],{"class":290,"line":396},[288,537,538],{"class":353},"        Authorization",[288,540,357],{"class":298},[288,542,543],{"class":298}," `",[288,545,546],{"class":315},"Bearer ",[288,548,549],{"class":298},"${",[288,551,332],{"class":294},[288,553,554],{"class":340}," getToken",[288,556,557],{"class":302},"()",[288,559,560],{"class":298},"}`\n",[288,562,563,566],{"class":290,"line":413},[288,564,565],{"class":298},"    }",[288,567,440],{"class":302},[288,569,570,572],{"class":290,"line":428},[288,571,437],{"class":298},[288,573,440],{"class":302},[202,575,577],{"id":576},"policy-based-authorization","Policy-Based Authorization",[206,579,580],{},"Once authenticated, authorization is handled by the platform. Policies are applied declaratively using decorators on your services and entities — no authorization logic in your application code.",[206,582,583,584,587],{},"See ",[585,586,98],"a",{"href":99}," for details on writing ABAC policies.",[589,590,591],"style",{},"html pre.shiki code .s7zQu, html code.shiki .s7zQu{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#89DDFF;--shiki-default-font-style:italic;--shiki-dark:#89DDFF;--shiki-dark-font-style:italic}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .s2Zo4, html code.shiki .s2Zo4{--shiki-light:#6182B8;--shiki-default:#82AAFF;--shiki-dark:#82AAFF}html pre.shiki code .swJcz, html code.shiki .swJcz{--shiki-light:#E53935;--shiki-default:#F07178;--shiki-dark:#F07178}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .spNyl, html code.shiki .spNyl{--shiki-light:#9C3EDA;--shiki-default:#C792EA;--shiki-dark:#C792EA}",{"title":284,"searchDepth":322,"depth":322,"links":593},[594,597,602,606],{"id":204,"depth":322,"text":25,"children":595},[596],{"id":212,"depth":329,"text":213},{"id":233,"depth":322,"text":234,"children":598},[599,600,601],{"id":240,"depth":329,"text":241},{"id":247,"depth":329,"text":248},{"id":254,"depth":329,"text":255},{"id":266,"depth":322,"text":267,"children":603},[604,605],{"id":270,"depth":329,"text":223},{"id":443,"depth":329,"text":444},{"id":576,"depth":322,"text":577},"Authentication methods and identity management in Kinotic.","md",null,{},{"icon":105},{"title":102,"description":607},"8YzBXuCCCtWYVMVflsuY6ernkqpSV4Qq8H4nICyPgzM",[615,617],{"title":98,"path":99,"stem":100,"description":616,"icon":93,"children":-1},"Attribute-Based Access Control (ABAC) for published services and entity data.",{"title":113,"path":114,"stem":115,"description":618,"icon":116,"children":-1},"The Kinotic deployment pipeline from development to production.",1775187765911]