Skip to main content

Overview

S4Kit uses an inheritance model for authentication, allowing you to configure credentials at different levels. The most specific configuration always wins.

Inheritance Chain

Configuration Levels

Instance Default

The base authentication for an instance:
All services use this unless overridden.

System Service

Override for a specific service across all instances:

Instance Service

Override for a specific service on a specific instance:

Resolution Example

Consider this configuration:

Resolution Results

InstanceServiceAuth UsedReason
productionAPI_BUSINESS_PARTNEROAuth (BP_PROD)Instance Service override
productionAPI_SALES_ORDEROAuth (SALES_GLOBAL)System Service override
productionAPI_PRODUCTBasic (PROD_USER)Instance Default
devAPI_BUSINESS_PARTNERBasic (DEV_USER)Instance Default
devAPI_SALES_ORDEROAuth (SALES_GLOBAL)System Service override
devAPI_PRODUCTBasic (DEV_USER)Instance Default

Use Cases

Different Users per Environment

OAuth for Sensitive Services

Third-Party Integration Service

Best Practices

Start Simple

Begin with instance defaults:
Add service-specific auth only when needed.

Use OAuth When Available

OAuth provides:
  • Automatic token refresh
  • Better security (no password transmission)
  • Granular scopes

Separate by Security Level

Document Your Configuration

Keep a record of:
  • Which services use which auth
  • Why overrides exist
  • Credential owners

Troubleshooting

Wrong Credentials Used

Symptom: Request uses unexpected authentication Solution: Check inheritance chain
  1. Is there an Instance Service config?
  2. Is there a System Service config?
  3. What is the Instance Default?

OAuth Token Issues

Symptom: Token refresh fails for some services Solution: Verify OAuth config at correct level
  • Check token URL is correct
  • Verify scopes are appropriate
  • Ensure client has access to service

Authentication Mismatch

Symptom: 401 errors after configuration change Solution: Check for shadowing
  • Service-level config may override your change
  • Clear Redis cache after changes
  • Test with explicit service parameter

Viewing Effective Auth

In the dashboard, view the effective authentication:
  1. Go to Instances β†’ Select instance
  2. Click Services
  3. Each service shows its effective auth source:
    • β€œInstance Service” - service-specific override
    • β€œSystem Service” - system-wide service config
    • β€œInstance Default” - fallback to instance auth