Skip to content


Authentication is enforced by the api-gateway which validates session cookies / headers, & adds a x-prismeai-user-id header to the request before forwarding it to the target microservice. Thus, other backend microservices do not enforce any authentication mechanism & rely on this x-prismeai-user-id header when needing access to the authenticated user id. Therefore, these backend microservices must be securely kept inside a private & trusted network.

The API Gateway will reject un-authenticated requests only if the target API is protected by an authentication policy inside the gateway.config.yml.

runtime microservice automatically pulls authenticated sessions (through gateway.login.succeeded events) to fill user and session context variables when processing input endpoints or events.


Although API Gateway is the only authentication keeper, each backend microservice can manage its own permissions system (using package), with their own custom roles & policies.

For instance, when accessing a specific workspace, service will check that authenticated user (given by x-prismeai-user-id header) has a read policy on the target object. This read policy might be granted in different ways : specific policy attribution, role, or with an API Key.
More details on Permissions & API Keys

Authorization configuration

Roles, permissions & API Keys are implemented by package, which provides generic helpers allowing each service to implement their custom authorization policies with minimal efforts.

Each backend microservice keep this configuration inside a src/permissions folder.
This folder has 2 main files :
- config.ts : declares the existing roles (i.e owner), object types (i.e workspace) and the rules defining the allowed / forbidden interactions
- index.ts : Instantiates the with the above configuration + a persistance Mongoose schema (optional, only if we want the package to handle the permissions persistance)