Skip to content

JWT tokens and tenants

Barq sync uses signed access tokens.

The server verifies the token and uses the verified claims to scope synced data.

Use one public key for all accepted tokens:

Terminal window
barq-server-dbg \
--root-dir ./barq-sync-data \
--jwt-public-key ./public.pem

Use --jwt-public-key-dir for per-tenant keys.

Terminal window
barq-server-dbg \
--root-dir ./barq-sync-data \
--jwt-public-key-dir ./tenant-keys

Supported key layouts:

tenant-a.pem
tenant-b.pem
tenant-c/key-1.pem
tenant-c/key-2.pem

In multi-tenant mode, the server derives the tenant from the verified token. It stores files under that tenant path.

The client can ask for partition shared, but it cannot choose another tenant’s path.

Terminal window
barq-server-dbg \
--root-dir ./barq-sync-data \
--jwt-public-key-dir ./tenant-keys \
--tenant-encryption-master-key ./master-secret.bin

The server derives a separate database key per tenant.