KrillSwitch docs

Auth and roles

Edit page ↗

Auth and roles

Defense in depth

Production management uses three independent gates:

  1. Cloudflare Access protects the admin hostname.
  2. Better Auth establishes a GitHub-backed session, or a ksat_ bearer token establishes an automation actor.
  3. KrillSwitch resolves the actor's role and authorizes the specific route.

Passing Access does not grant a KrillSwitch role. A valid session without a role sees the no-access state.

Roles

CapabilityAdminEditorViewerNo grant
Read flags and change logYesYesYesNo
Change flags and targetingYesYesNoNo
Create projects/environmentsYesNoNoNo
Rotate evaluation keysYesNoNoNo
Manage roles and tokensYesNoNoNo

Access tokens support only editor and viewer roles. There is no token-admin path.

Bootstrap admin

The first production admin is selected with the BOOTSTRAP_ADMIN_EMAIL Worker secret. Use the approved OpenClaw deploy identity and a real GitHub OAuth application. After bootstrap, admins manage grants from the dashboard.

GitHub organization viewers

GITHUB_VIEWER_ORG=openclaw allows a signed-in organization member with no explicit grant to resolve as a viewer. Membership is checked during sign-in using the user's GitHub token.

Session and token actors

All authenticated management requests resolve to one actor shape. Audit entries distinguish session users from access tokens and preserve the human-readable actor name.