Auth modes

How tenant credentials, Portal sessions, and Portal-issued API keys differ.

DLaaS itself accepts three header sets:

| Mode | Header(s) | Used for | | --- | --- | --- | | Tenant | X-Tenant-Api-Key + X-Tenant-Api-Secret | Per-tenant CRUD and runtime traffic | | Control plane | X-Control-Plane-Secret | Tenant bootstrap, admin views | | Service | X-Service-Secret | Snapshot export, runtime diagnostics |

The Portal collapses these for end users:

You sign in with email/password or OAuth.
The BFF resolves your active organization and decrypts its tenant secret.
Every /api/proxy/dlaas/* call is signed with the tenant headers automatically.
Admin-only endpoints use the Portal pod's DLAAS_SERVICE_SECRET.
Portal API keys (created in Settings) authenticate non-browser clients to the Portal BFF; the BFF still translates to DLaaS tenant headers.

Auth modes

How tenant credentials, Portal sessions, and Portal-issued API keys differ.

DLaaS itself accepts three header sets:

The Portal collapses these for end users:

You sign in with email/password or OAuth.
The BFF resolves your active organization and decrypts its tenant secret.
Every /api/proxy/dlaas/* call is signed with the tenant headers automatically.
Admin-only endpoints use the Portal pod's DLAAS_SERVICE_SECRET.
Portal API keys (created in Settings) authenticate non-browser clients to the Portal BFF; the BFF still translates to DLaaS tenant headers.