CipherStash Token Service

CipherStash Token Service (CTS) is an authentication and identity federation service.

CTS issues tokens that grant clients access to ZeroKMS. That access is temporary, limited, and can be granularly scoped.

If you are familiar with the AWS Security Token Service (AWS STS), CTS fulfills a similar role to that.

At a high level:

• Clients authenticate to CTS
• CTS issues temporary tokens to those authenticated clients
• Those temporary tokens can be used to make requests to ZeroKMS

Clients can be CipherStash Proxy, an EQL library like protectjs, or Stash CLI.

Clients can authenticate to CTS via either:

• Federating with an IDP
• Access keys

The temporary tokens are, as the name suggests, temporary — they are valid for a maximum of 15 minutes.

Federation allows you to use an existing source of identities to authenticate to CTS, and onwards to ZeroKMS.

This allows you to rapidly grant and revoke people's access based on your product or organisation's onboarding and offboarding processes.

By default, CTS federates with CipherStash Cloud's IDP, which under the hood is Auth0.

Once you have signed up to CipherStash Cloud, you can authenticate to CTS with that CipherStash Cloud identity.

If you want to bring your own IDP to CTS, you can configure your workspace to use either Auth0, Okta, or Clerk.

Access keys are a persistent credential you can use for machine-to-machine access to CTS.

If you are using CipherStash Proxy in production, you need an access key to allow persistent access to CTS, and onwards to ZeroKMS.