ZITADEL•10mo ago

Limiting API user permissions

Use-case: Using Zitadel as the OIDC auth layer for our app
Environment: Self Hosting on k8s
Version: v2.67.2
Stack: Mostly TS

We implemented token introspection in a backend api and we are using a JWT (Projects -> new api-type project -> new key) to authenticate requests to the introspection endpoint.

Is it possible to limit the permissions of the API project / the JWT to only the introspection endpoint ? Thank you.

Rajat•4/8/25, 11:07 AM

Hi @Yuki thanks for your question, wdym here by "limit the permissions of the API project", if you have any examples of some sort that you'd like to explain this to me, that'll help. Like what is the end goal you're tryign to achieve?

YukiOP•4/8/25, 1:09 PM

Hello @Rajat , thank you for replying.
Our use case is this : we have a SPA frontend that does the oidc auth flow and sends the access token to a rest api to populate the frontend with data. We want the backend to validate the token using the introspection endpoint.
The backend has the JSON containing the private key, appId, clientId etc. used to generate a signed JWT to authenticate to the Zitadel introspection endpoint.

The only operation this backend requires from Zitadel is the token introspection capability and we try to enforce the principle of least privilege so my question would be : when our backend generates a JWT to access Zitadel APIs how much can it access and what are the best practices to limit it to the strict minimum ?