Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.trueparser.com/llms.txt

Use this file to discover all available pages before exploring further.

TrueParser is designed so tenant applications authenticate securely, stay isolated from each other, and operate within platform protection controls. This page focuses on the parts of security that matter to tenant developers and operators.

1. Authentication

Tenant applications use machine-to-machine authentication.

M2M Access

  • tenant apps authenticate with client_id and client_secret
  • M2M access uses OAuth 2.0 client_credentials
  • the API scope for tenant apps is TrueParser.API
  • access tokens are short-lived and currently configured for 15 minutes

Token Renewal For M2M

For tenant-facing M2M usage, treat token renewal as re-authentication with the app credentials.
  • request a new access token using client_id and client_secret
  • cache and reuse access tokens until they are close to expiry
A 15-minute access token should not be a bottleneck if your backend reuses the token and renews it close to expiry instead of requesting a new token for every API call.

2. App Isolation

Each tenant app is an isolated machine identity.
  • every app has its own client_id and client_secret
  • apps can be enabled or disabled independently
  • apps carry their own license region and usage metadata
  • plan assignment is tracked per app
This means one app can be rotated, disabled, or reconfigured without affecting other apps in the same tenant.

3. Allowed Domains

Apps can store up to three allowed domains as security metadata. Typical usage:
SlotRecommended Use
allowed_domain_1Production, for example myapp.com
allowed_domain_2Staging, for example staging.myapp.com
allowed_domain_3Local development, for example localhost:3000
Allowed domains are normalized before storage.
  • protocols are stripped
  • trailing slashes are removed
  • wildcards are rejected
  • localhost with a valid port is allowed
When configured, these values are included in the app’s access token as claims.

4. Plan And Usage Protection

Plans control the usage entitlements attached to an app.
  • if no plan is assigned, the app can still obtain a token, but the entitlements claim is omitted
  • if a usable plan is assigned, the token includes usage entitlements
  • if a retired plan is assigned, token issuance is blocked
For tenant-facing docs, usage should be understood as Document Units.

5. Platform Protection

TrueParser protects the platform with runtime and traffic controls.

Rate Limiting

Rate limiting helps protect sensitive endpoints from abuse and accidental overload.
  • authentication and other sensitive endpoints are protected by request limits
  • clients should avoid unnecessary token requests
  • clients should reuse access tokens until renewal is needed

Resource Guard

TrueParser also monitors runtime resource pressure to protect platform stability.
  • the platform monitors service health and resource pressure
  • during overload conditions, requests may be slowed, deferred, or rejected
  • this helps preserve stability for all tenants sharing the platform

6. Credential Handling

Treat the app secret as a sensitive backend credential.
  • the plaintext client_secret is shown once when the app is created
  • if the secret is regenerated, the new plaintext secret is shown once for that regeneration event
  • regenerating a secret invalidates the old one
  • store secrets in your own secure secret manager

7. Auditability

Security-sensitive operations should be treated as operational events.
  • tenant and app lifecycle changes affect access behavior
  • credential rotation and plan changes should be tracked in your own operational process
  • if access behavior changes unexpectedly, verify app status, tenant status, plan status, and secret validity first
Last modified on April 28, 2026