Status: Beta

Auth & STS

OpenTaco enforces auth by default for /v1 routes. The CLI performs OIDC PKCE login, exchanges the ID token for OpenTaco access/refresh tokens, and stores them per server. For the S3-compatible endpoint, the service issues short-lived STS credentials that embed an OpenTaco access token in X-Amz-Security-Token.

Endpoints

  • GET /v1/auth/config — Server OIDC config for CLI auto-discovery.
  • POST /v1/auth/exchange — OIDC ID token → OpenTaco access/refresh.
  • POST /v1/auth/token — Refresh → new access (rotates refresh).
  • POST /v1/auth/issue-s3-creds — Issue STS creds for /s3 (requires Bearer).
  • GET /v1/auth/me — Current subject/roles/groups from Bearer.
  • GET /oidc/jwks.json — JWKS for signature verification.

CLI usage

  • taco login — Runs PKCE, saves tokens to ~/.config/opentaco/credentials.json under the current --server.
  • taco whoami — Prints current identity.
  • taco creds --json — Emits AWS Process Credentials JSON for use with Terraform’s S3 backend via /s3.
  • taco logout — Removes saved tokens for the current server.

S3-compatible credentials

Configure your AWS profile to source credentials from taco creds --json: 
[profile opentaco-state-backend]
region = auto
credential_process = "/absolute/path/to/taco" creds --json --server http://localhost:8080
Notes
  • Requests to /s3 must be SigV4-signed; X-Amz-Security-Token must be a valid OpenTaco access token whose audience includes s3.
  • Set AWS_SDK_LOAD_CONFIG=1 and AWS_PROFILE=opentaco-state-backend in your environment before running Terraform.

Configuration

Environment variables for the service (examples): 
OPENTACO_AUTH_ISSUER=...
OPENTACO_AUTH_CLIENT_ID=...
Development shortcuts:
  • -auth-disable disables auth for /v1 (local/dev only).
  • OPENTACO_AUTH_DEV_SKIP_VERIFY=true relaxes verification in constrained environments.
See also
  • Examples: docs/auth_config_examples.md
  • Backend specifics: docs/backend-service.md (S3-compatible shim)
  • Service routes: docs/backend-service.md, docs/reference/api.md