SSO roadmap

Current X-API-Key auth and planned SAML 2.0, OIDC, SCIM.

What this is

How COHESION handles enterprise identity today, and what is planned.

Today

• Auth: X-API-Key header, peppered SHA-256 at rest, 80 ms timing floor, self-serve rotation and revocation.
• Per-org scoping: Every API key is org-scoped. No cross-tenant reads under any circumstance.
• Audit log: KEY_CREATED, KEY_ROTATED, KEY_REVOKED, auth-success, auth-fail events retained 90 days.

Planned (target Q3 2026)

SAML 2.0

Browser-initiated SSO for the customer dashboard only. API keys remain the authentication primitive for programmatic calls.

OIDC

For customer-admin console login. Same scope as SAML: dashboard, not API.

SCIM 2.0

Automated org-user provisioning and deprovisioning for the dashboard. API keys per-service continue to be provisioned via the admin console after the user is provisioned.

Per-user API keys (stretch)

Today: one key per org. Planned: sub-keys scoped to a single admin user, revocable independently of the org’s primary key.

Why API keys for the API itself

Programmatic integrations call the API from servers, workers, and batch jobs. OAuth / OIDC refresh flows add latency and failure modes that do not serve this traffic pattern. API keys with mandatory rotation, short-lived-key roadmap, and peppered hashing hit a better point on the security / operability curve.

Next step

• Authentication
• Security