Route Guard Tiers

, and evaluated unconditionally on every request before any auth logic runs.

Enforced by: → loopback host check Bypass: None — not overridable by JWT, CLI token, or


















Response on violation: 


Enforced by:  → skip  bypass
Bypass: None when ; JWT always required

















Response on violation: 


 is
configured. CLI tokens can authenticate these routes (loopback + valid HMAC).



 in

 asserting that
 returns true for the new prefix

Never skip this step — see Hard Rule #15 in 























 — CLI machine-ID token
 — full authorization pipeline

Was this page helpful?

arrow_backPublic Credentials HandlingStealth Guidearrow_forward

Route Guard Tiers

Route Guard Tiers

, and evaluated unconditionally on every request before any auth logic runs.

is configured. CLI tokens can authenticate these routes (loopback + valid HMAC).

in `asserting that returns true for the new prefix Never skip this step — see Hard Rule #15 in`
`— CLI machine-ID token — full authorization pipeline`

— CLI machine-ID token
— full authorization pipeline

, and evaluated unconditionally on every request before any auth logic runs.

is configured. CLI tokens can authenticate these routes (loopback + valid HMAC).

in `asserting that returns true for the new prefix Never skip this step — see Hard Rule #15 in`
`— CLI machine-ID token — full authorization pipeline`

— CLI machine-ID token
— full authorization pipeline

Route Guard Tiers

Route Guard Tiers

, and evaluated unconditionally on every request before any auth logic runs.

is configured. CLI tokens can authenticate these routes (loopback + valid HMAC).

in asserting that returns true for the new prefix Never skip this step — see Hard Rule #15 in — CLI machine-ID token — full authorization pipeline

— CLI machine-ID token — full authorization pipeline

, and evaluated unconditionally on every request before any auth logic runs.

is configured. CLI tokens can authenticate these routes (loopback + valid HMAC).

in asserting that returns true for the new prefix Never skip this step — see Hard Rule #15 in — CLI machine-ID token — full authorization pipeline

— CLI machine-ID token — full authorization pipeline

in `asserting that returns true for the new prefix Never skip this step — see Hard Rule #15 in`
`— CLI machine-ID token — full authorization pipeline`

— CLI machine-ID token
— full authorization pipeline

in `asserting that returns true for the new prefix Never skip this step — see Hard Rule #15 in`
`— CLI machine-ID token — full authorization pipeline`

— CLI machine-ID token
— full authorization pipeline