Authentication

Plugwerk supports two authentication methods:

Local Login (JWT)

Built-in username/password authentication with JWT tokens. Enabled by default.

A superadmin account is created on first start. The password is either:

• Set via PLUGWERK_AUTH_ADMIN_PASSWORD environment variable
• Generated randomly and printed to the server logs

OIDC Multi-Issuer

Plugwerk supports multiple OIDC identity providers (Keycloak, Auth0, Azure AD, etc.) simultaneously.

Configure providers through the Admin UI under Settings → OIDC Providers, or via the REST API:

POST /api/v1/admin/oidc-providers

Each provider requires:

• Issuer URI — the OIDC discovery endpoint
• Client ID and Client Secret
• Display name — shown on the login page

API Key Authentication

For SDK consumers, API keys provide read-only access without requiring a login flow:

Method	Header	Permissions
API Key	X-Api-Key: pwk_...	Read-only (list, search, download)
Bearer Token	Authorization: Bearer <jwt>	Per user role

API keys are managed per namespace under Settings → API Keys.