OIDC Tokens

You can use OIDC to authenticate Mint with third-party services. In general, you should use OIDC when it's available. It's more secure than generating access tokens, which could be lost or stolen.

To use OIDC, you will need to configure the token in the Mint Vault UI. After setting the name and audience in the UI, you can reference the token in workflows like this:

${{ vaults.your_vault.oidc.your_token_name }}

If you're using OIDC for deployment, you'll most likely want to configure the OIDC token in a locked vault. For more details, see the documentation on vaults.

Specific Documentation for Relying Parties

Review these guides to authenticate from Mint to some of the most popular services using OIDC.

Mint OIDC with AWS

Mint OIDC with Depot

Mint OIDC with Google Cloud

Mint OIDC with Azure

Claims

If you're a service looking to validate a Mint OIDC token, review the following claims:

claimnamedescription
ississuerWill always be https://cloud.rwx.com/mint
subsubjectIdentifies the vault, in the format of mint:{organization uuid}:{vault name}
audaudienceThe audience configured for the token in the Vault
expexpiration timeThe time that the token expires as an integer
iatissued timeThe time that the token was issued as an integer
run_idrun idThe ID of the Mint run that generated the token
run_urlrun urlThe URL for the Mint run that generated the token
task_idtask idThe ID of the Mint task that generated the token
task_urltask urlthe URL for the Mint task that generated the token