OIDC Tokens
You can use OIDC to authenticate RWX with third-party services. In general, you should use OIDC when it's available. It's more secure than generating access tokens, which could be lost or stolen.
To use OIDC, you will need to configure the token in the RWX Vault UI.
After setting the name and audience in the UI, you can reference the token in workflows like this:
${{ vaults.your_vault.oidc.your_token_name }}
If you're using OIDC for deployment, you'll most likely want to configure the OIDC token in a locked vault. For more details, see the documentation on vaults.
Specific Documentation for Relying Parties
Review these guides to authenticate from RWX to some of the most popular services using OIDC.
Claims
If you're a service looking to validate an RWX OIDC token, review the following claims:
| claim | name | description |
|---|---|---|
| iss | issuer | Will always be https://cloud.rwx.com/mint |
| sub | subject | Identifies the vault, in the format of mint:{organization uuid}:{vault name} |
| aud | audience | The audience configured for the token in the Vault |
| exp | expiration time | The time that the token expires as an integer |
| iat | issued time | The time that the token was issued as an integer |
| run_id | run id | The ID of the RWX run that generated the token |
| run_url | run url | The URL for the RWX run that generated the token |
| task_id | task id | The ID of the RWX task that generated the token |
| task_url | task url | the URL for the RWX task that generated the token |