JWT tokens and tenants
Barq sync uses signed access tokens.
The server verifies the token and uses the verified claims to scope synced data.
Single Public Key
Section titled “Single Public Key”Use one public key for all accepted tokens:
barq-server-dbg \ --root-dir ./barq-sync-data \ --jwt-public-key ./public.pemPer-tenant Keys
Section titled “Per-tenant Keys”Use --jwt-public-key-dir for per-tenant keys.
barq-server-dbg \ --root-dir ./barq-sync-data \ --jwt-public-key-dir ./tenant-keysSupported key layouts:
tenant-a.pemtenant-b.pemtenant-c/key-1.pemtenant-c/key-2.pemTenant Isolation
Section titled “Tenant Isolation”In multi-tenant mode, the server derives the tenant from the verified token. It stores files under that tenant path.
The client can ask for partition shared, but it cannot choose another tenant’s path.
Per-tenant Encryption
Section titled “Per-tenant Encryption”barq-server-dbg \ --root-dir ./barq-sync-data \ --jwt-public-key-dir ./tenant-keys \ --tenant-encryption-master-key ./master-secret.binThe server derives a separate database key per tenant.