Skip to content
EvidentSource EvidentSource

Security

The public Sandbox is open. A production EvidentSource instance is not — it sits behind authentication and authorization you control.

Authentication

Section titled “Authentication”

EvidentSource accepts bearer tokens at the gRPC and REST boundaries. Tokens are validated against a configurable identity provider:

  • OIDC — any standards-compliant IdP (Okta, Auth0, AWS IAM Identity Center, Keycloak, Google Workspace)
  • Static JWT — for service-to-service calls with pre-issued tokens
  • mTLS — client certificate authentication

Configure the provider in the CloudFormation stack parameters or the container’s environment variables.

Authorization

Section titled “Authorization”

Authorization is policy-based. Each database has an associated policy document that defines:

  • Who can issue which commands
  • Who can read which state views
  • Who can subscribe to event streams
  • Who can deploy or update components

Policies reference claims on the authenticated identity — roles, groups, custom attributes — from the identity provider.

Token vending

Section titled “Token vending”

For clients that can’t authenticate to your IdP directly (e.g. browser-side apps, AI agents with limited credential handling), EvidentSource supports token vending — a scoped-token endpoint that exchanges a long-lived credential for a short-lived, narrowly-scoped token.

This lets you hand an AI agent a bounded ability to issue specific commands against a specific database for a specific time window, without handing it your IdP credentials.

Audit

Section titled “Audit”

Every command and every authentication decision is captured in the event log — see Decision Traces & AI-Readiness. The identity of every caller is recorded as event metadata, signed at the boundary.

Secrets

Section titled “Secrets”

The runtime needs no secrets itself beyond its IdP’s verification key (public). The storage layer needs AWS credentials for S3 access — use an instance profile or IRSA, not static keys.

Checklist before going to production

Section titled “Checklist before going to production”
  • IdP configured and tested
  • Per-database authorization policies written and reviewed
  • TLS certificate in ACM (provided to the ALB)
  • CloudWatch or OpenTelemetry sink receiving metrics and traces
  • Alerts on: 5xx rate, p99 latency, append failures, authorization rejections
  • S3 bucket versioning enabled (if your retention policy calls for it)
  • IAM review — task role has only the S3 actions it needs