Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.withsutro.com/llms.txt

Use this file to discover all available pages before exploring further.

Builders are end users or clients who build and run apps that integrate with Sutro. They are managed by your organization (via Members), not Sutro directly. To support your own user base, you’ll need to configure certificates for both JWT verification and mTLS security. Learn more about JSON Web Tokens (JWTs) and Mutual TLS (mTLS).

JWT verification

The Sutro API verifies JWTs that your system generates and includes in requests from your Builders.

Required claims

Every JWT must include the following claims:
ClaimDescription
subThe security ID (SID) associated with the user in your system
issThe issuer SID previously registered with the UAPI
audMust include https://sapi.withsutro.com
JWTs must be signed using the RS256 algorithm. The public key used to verify signatures must be preregistered with the User Management API (UAPI).

Configuration

Two elements are needed for JWT verification:
  1. Register an Issuer SID
  2. Register a Verification Certificate

1. Register an issuer SID

Issuer SIDs identify and verify the source of JWTs.
  • Each SID must be globally unique and comply with RFC 7519.
  • In practice, use a UUID or a URI containing a domain you own.
  • Multiple issuer SIDs can be registered if needed.

2. Register a verification certificate

JWTs signed with RS256 require a matching public certificate to be registered with the UAPI. Once registered, that certificate can be linked to one or more issuer SIDs.
You hold the private key; Sutro never stores it. Register only the public certificate.

mTLS security

Mutual TLS (mTLS) adds another layer of authentication, requiring clients to present a certificate for every request. This uses public-private key pairs: the client signs each request with its private key, and Sutro verifies it using the corresponding public certificate registered via the UAPI.

Configuration

Sutro can generate mTLS certificates for you.
  • Certificates are signed by Sutro’s private Certificate Authority.
  • The public certificate is stored by Sutro; the private key is available only once at generation.
  • Certificates expire after 90 days.
Automatic renewal of mTLS certificates will be available in an upcoming release.

Summary

Security LayerWhat You DoManaged In
JWT VerificationRegister issuer SID and verification certificateUAPI
mTLS SecurityUpload or generate client certificateUAPI
Certificate RenewalManual (auto-renew coming soon)UAPI