Notes regarding Hydrolix Authentication and Authorization data model

Users & Tokens

  • users are authenticated via an email address & password.
  • tokens are authenticated via a (revokable) OAuth token id
  • In the future we will support MFA and SAML-based authentication as well.


Permissions are granular priviledges applied to an individual user or token, granting them the ability to take specific actions for a specific set of resources.


Roles represent a set of permissions. For example:

  1. admin - can access config api, and change any setting
  2. operator - can acess config api, but can ony view current settings
  3. publisher - can access ingest api to pubish data
  4. reader - can access query api to query data

Intially we only support these 4, but we plan to add support for custom roles in the future.


Scopes come in three flavors:

  1. All projects: .
  2. One specific project: {project}.*
  3. One specific table: {project}.{table}