Overview
This page explains how Sutro authenticates incoming API requests. During request processing we confirm the JWT is well-formed, that it targets the Sutro API, and that (for Builder traffic) the request arrives over mutual TLS. When all validation points pass, we continue execution; otherwise the request is rejected.What happens during validation
1
Inspect the JWT structure
- The request must include a JWT that is well-formed.
- Malformed or missing tokens are rejected before any additional checks run.
2
Validate standard claims
- The
audclaim must equal"https://sapi.withsutro.com". - The
issclaim must map to an issuer that the organization has previously registered with Sutro.
3
Verify the signature
- Sutro looks up the public certificate associated with the issuer.
- The JWT’s signature must verify against that certificate; if it fails, the request is denied.
4
Check the subject (SID)
- The
subclaim must resolve to a known Member or Builder. - That principal must belong to the customer sending the request.
5
Enforce Builder mTLS
- If the SID represents a Builder, the request must arrive over mTLS.
- The presented client certificate must match the Builder’s certificate stored with Sutro.
When all stages succeed, Sutro marks the request as authenticated and forwards it to the requested endpoint.