Limit the scope of user JWTs to certain endpoints
Problem to solve
Currently the user JWT will have the scope code_suggestions
, which means it has access to both code completions and code generation, of all versions. We want to limit the User JWTs power to just code_suggestions
of v3.
Proposal
We decided to start with the most boring solution. We will create a new user specific scope, with a new name (e.g. code_completions
), that only the user JWT will have. Then we want to allow the v3 version of code_suggestions to allow both code_suggestions
scope as well as this new scope.
We are making token checks on endpoints that require the code_suggestions
scope, and check the issuer
. If the issuer
is ai_gateway
we know it is a user JWT and allow/deny access based on that
Links / references
Edited by Roy Zwambag