| title | Concepts |
|---|---|
| description | How Modgud thinks about identity, tenancy, authorization, and the OAuth/OIDC surface — the mental model behind the code. |
The conceptual map of Modgud. If you're new, read these in roughly the order below — each one builds on the ones above it.
- Glossary — terminology used across the docs and UI. Skim it once; refer back when a word feels overloaded.
- Apps & resource_access — why
permissions are app-scoped and how
resource_accessshows up on tokens.
- Realms (Multi-Tenant) — the database-per-realm model and how requests get routed to the right tenant.
- Control Plane / Data Plane — how cross-realm administration is structurally separated from tenant operations.
- Authentication — login flows, 2FA, federated OIDC, sessions.
- Authorization (RBAC) — the Principal → Group → Role → Permission chain.
- Permissions & gating — the three-segment permission grammar and the bypass tiers.
- Auto-Membership — JsEval-scripted group membership predicates.
- ABAC and the IAM boundary — why row-level access stays in the consuming app, not in the IdP.
- OAuth & OIDC — the supported flows, signing, and per-realm isolation.
- Dynamic Client Registration — RFC 7591 for MCP agents and self-onboarding apps.
- Sessions & Tokens — what's on a token, where session state lives, and how rotation works.