> ## Documentation Index
> Fetch the complete documentation index at: https://engineering.unkey.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> RPC authentication and bearer token handling

## Bearer authentication

Vault requires an `Authorization: Bearer <token>` header on Encrypt, Decrypt, and ReEncrypt RPCs. The token must match `bearer_token` from the service config. Missing or invalid tokens return Unauthenticated. Liveness does not require authentication.

The token is compared using constant-time equality to avoid timing leaks.

## Token rotation

Vault does not manage token rotation. You must update the token in AWS Secrets Manager and roll the deployment.

Runtime callers that embed the bearer token:

* API service ([`svc/api/run.go`](https://github.com/unkeyed/unkey/blob/main/svc/api/run.go))
* Frontline service and certificate manager ([`svc/frontline/run.go`](https://github.com/unkeyed/unkey/blob/main/svc/frontline/run.go), [`svc/frontline/services/certmanager/service.go`](https://github.com/unkeyed/unkey/blob/main/svc/frontline/services/certmanager/service.go))
* Krane service and secrets service ([`svc/krane/run.go`](https://github.com/unkeyed/unkey/blob/main/svc/krane/run.go), [`svc/krane/secrets/service.go`](https://github.com/unkeyed/unkey/blob/main/svc/krane/secrets/service.go))
* Control plane worker and workflows ([`svc/ctrl/worker/run.go`](https://github.com/unkeyed/unkey/blob/main/svc/ctrl/worker/run.go), [`svc/ctrl/worker/deploy/service.go`](https://github.com/unkeyed/unkey/blob/main/svc/ctrl/worker/deploy/service.go), [`svc/ctrl/worker/certificate/service.go`](https://github.com/unkeyed/unkey/blob/main/svc/ctrl/worker/certificate/service.go), [`svc/ctrl/worker/clickhouseuser/service.go`](https://github.com/unkeyed/unkey/blob/main/svc/ctrl/worker/clickhouseuser/service.go))
* Control ACME user service ([`svc/ctrl/services/acme/user.go`](https://github.com/unkeyed/unkey/blob/main/svc/ctrl/services/acme/user.go))
* Analytics connection manager ([`internal/services/analytics/service.go`](https://github.com/unkeyed/unkey/blob/main/internal/services/analytics/service.go))