CipherStash Token Service (CTS)
Learn how the CipherStash Token Service (CTS) issues temporary tokens for ZeroKMS access via IDP federation with Auth0, Okta, Clerk, or access keys.
CipherStash Token Service (CTS) is an authentication and identity federation service.
CTS issues tokens that grant client keys access to ZeroKMS. That access is temporary, limited, and can be granularly scoped.
If you are familiar with the AWS Security Token Service (AWS STS), CTS fulfills a similar role to that.
How it works
At a high level:
- Client keys authenticate to CTS
- CTS issues temporary tokens to those authenticated client keys
- Those temporary tokens can be used to make requests to ZeroKMS
A client key can be held by either CipherStash Proxy or an application using the Encryption SDK.
Tokens
Client keys can authenticate to CTS via either:
Temporary tokens are valid for a maximum of 15 minutes.
Federation
Federation allows you to use an existing source of identities to authenticate to CTS, and onwards to ZeroKMS. This allows you to rapidly grant and revoke people's access based on your product or organisation's onboarding and offboarding processes. By default, CTS federates with CipherStash Cloud's IDP.
Bringing your own Identity Provider (IDP)
If you want to bring your own IDP to CTS, you can configure your workspace to use Auth0, Okta, Clerk, or Supabase.
You can add and manage OIDC providers from your workspace settings in the CipherStash Dashboard.
Access keys
Access keys are a persistent credential you can use for application-to-service access to CTS. You can create access keys in the CipherStash Dashboard.
Regions
Review the AWS regions where ZeroKMS is deployed for CipherStash workspaces, spanning the US, Europe, and Asia Pacific, plus how to request a new region.
Disaster recovery
How ZeroKMS keeps encrypted data recoverable through disaster recovery, separating keys from data so regional outages cause no data loss.