xcel / identity

XCEL Identity Service

Standards-based OAuth 2.0 Authorization Server and OpenID Connect Identity Provider. Phases 1–7 are implemented; the service is ready for demo and uat. Production launch is pending external review (see Phase 7 report).

Liveness
/api/public/health

Service is reachable.

Readiness
/api/public/ready

Config, database, and keystore probes.

Discovery
/.well-known/openid-configuration

OIDC provider metadata.

JWKS
/.well-known/jwks.json

Active signing keys.

Implemented phases

  • · Phase 1 — Env-aware config, 22-table RLS schema, audit, service-JWT, rate/idempotency
  • · Phase 2 — Signing keys, keystore wrapping, pairwise seed, handoff tokens
  • · Phase 3 — Authorize / token / userinfo, PKCE S256, private_key_jwt, ID tokens, JWKS
  • · Phase 4 — Consent, revocation, logout, lifecycle webhooks with retry + dead-letter
  • · Phase 6 — DPT demo client wiring, claim release, end-to-end sandbox tests
  • · Phase 7 — Retention, key rotation, metrics, attack-surface tests, runbooks

Internal

Operations console →

Read-only SRE / security dashboard. Requires an authenticated user with the admin, operator, or auditor role.