Auth Service — Sync Contract
Status: populated Owner: Platform Engineering Last updated: 2026-04-18
1. Policy
| Aggregate | Policy |
|---|---|
User | server_authoritative |
Account | server_authoritative |
ApiKey | server_authoritative |
Session | server_authoritative |
JwkKey | server_authoritative |
2. JWKS sync to Kong
- Kong polls
/.well-known/jwks.jsonevery 5 min; caches in Kong workers. - Rotation window: old key present in JWKS for 10 min after rotation event → zero-downtime rotation.
3. Outbox
Aggregate mutations + domain event persisted in one PG transaction (auth.outbox). Relay publishes to NATS; deletes from outbox on ACK. Replay safe.