Overview

The walt.id Enterprise Stack provides fine-grained access control using Role-Based Access Control (RBAC) with optional integration into external Identity and Access Management (IAM) systems.

This model clearly separates:

  • Authentication: who a caller is
  • Authorization: what a caller is allowed to do

Authentication can be performed using:

  • Local accounts (email/password)
  • API keys
  • External IAM providers via OpenID Connect (OIDC)

Authorization is enforced by the Enterprise Stack using RBAC roles and permissions.

Authentication vs Authorization

Authentication

Authentication determines identity. Depending on your deployment, this can happen through:

  • Account login
  • API key authentication
  • OIDC tokens issued by an external IAM provider

Authorization

Authorization determines whether the authenticated identity can perform the requested operation.

After authentication, the Enterprise Stack:

  1. Resolves the identity (principal)
  2. Resolves assigned roles and corresponding permissions
  3. Checks whether required permissions are present
  4. Allows or denies the request

If the required permission is missing, the API returns 403 Forbidden.

Conceptual Architecture

User / Machine Client
        │ Authentication
External IAM / Local Account / API Key
        │ Token / API Key
Enterprise Stack API
        │ RBAC Authorization
Roles → Permissions → Scoped Access
Services (Issuer, Verifier, Wallet, DID, Credential Status Services)

Security Best Practices

For production deployments, we recommend:

  • Use external IAM (OIDC) for workforce authentication
  • Apply the principle of least privilege
  • Assign roles at the narrowest scope needed
  • Rotate API keys regularly
  • Use short-lived access tokens where possible
  • Avoid using Super Admin credentials in automation
  • Monitor audit logs for privileged operations

Learn more

  • RBAC Model - Understand the core framework for role-based access control
  • IAM Integration - Connect to external identity providers via OIDC
  • Permissions - Discover available permissions and their scope
  • Roles - Define and manage user roles and their permission sets
  • Accounts - Manage local user accounts and authentication
  • API Keys - Create and manage API keys for machine-to-machine access
  • Super Admin - Grant unrestricted administrative access with caution
Last updated on March 10, 2026
Service OperationsRBAC Model