paybondpaybond
Sign in

Authentication & tenant binding

How Paybond credentials determine tenant scope, and how Kit sessions attach tenant context automatically.

Authentication & tenant binding

Paybond is tenant-scoped. Tenant isolation is enforced by credentials and verified server-side. Paybond Kit is designed so you do not invent ad-hoc tenant headers at runtime.

The canonical flow (service account)

  1. Your runtime holds a service-account API key (paybond_sk_…) issued for a single tenant realm.
  2. Your runtime calls the Gateway POST /v1/auth/harbor-access with that key.
  3. The Gateway returns:
    • a short-lived Harbor JWT for Harbor calls
    • the tenant realm (tenant_id)
  4. The Kit binds the session to that tenant realm and attaches the correct tenant context on every Harbor request.

TypeScript

Use ServiceAccountHarborSession.open to mint and refresh a Harbor JWT and attach tenant scope automatically.

See: TypeScript quickstart.

Python

Use ServiceAccountHarborSession.open to mint and refresh a Harbor JWT and attach tenant scope automatically.

See: Python quickstart.

Rotation & caching

  • Cache minted Harbor JWTs only in memory, scoped to a single tenant.
  • If you rotate an API key, construct a new session object and drain in-flight work.
  • Never reuse a Harbor client/session across tenants.