xcel / identity
XCEL Identity Service
Standards-based OAuth 2.0 Authorization Server and OpenID Connect Identity Provider. Phases 1–7 are implemented; the service is ready for demo and uat. Production launch is pending external review (see Phase 7 report).
Liveness
/api/public/health
Service is reachable.
Readiness
/api/public/ready
Config, database, and keystore probes.
Discovery
/.well-known/openid-configuration
OIDC provider metadata.
JWKS
/.well-known/jwks.json
Active signing keys.
Implemented phases
- · Phase 1 — Env-aware config, 22-table RLS schema, audit, service-JWT, rate/idempotency
- · Phase 2 — Signing keys, keystore wrapping, pairwise seed, handoff tokens
- · Phase 3 — Authorize / token / userinfo, PKCE S256, private_key_jwt, ID tokens, JWKS
- · Phase 4 — Consent, revocation, logout, lifecycle webhooks with retry + dead-letter
- · Phase 6 — DPT demo client wiring, claim release, end-to-end sandbox tests
- · Phase 7 — Retention, key rotation, metrics, attack-surface tests, runbooks
Internal
Operations console →
Read-only SRE / security dashboard. Requires an authenticated user with the admin, operator, or auditor role.