TrueParser is designed so tenant applications authenticate securely, stay isolated from each other, and operate within platform protection controls.
This page focuses on the parts of security that matter to tenant developers and operators.
1. Authentication
Tenant applications use machine-to-machine authentication.
M2M Access
- tenant apps authenticate with
client_id and client_secret
- M2M access uses OAuth 2.0
client_credentials
- the API scope for tenant apps is
TrueParser.API
- access tokens are short-lived and currently configured for 15 minutes
Token Renewal For M2M
For tenant-facing M2M usage, treat token renewal as re-authentication with the app credentials.
- request a new access token using
client_id and client_secret
- do not depend on refresh-token based M2M renewal in tenant docs
- cache and reuse access tokens until they are close to expiry
A 15-minute access token should not be a bottleneck if your backend reuses the
token and renews it close to expiry instead of requesting a new token for
every API call.
2. App Isolation
Each tenant app is an isolated machine identity.
- every app has its own
client_id and client_secret
- apps can be enabled or disabled independently
- apps carry their own license region and usage metadata
- plan assignment is tracked per app
This means one app can be rotated, disabled, or reconfigured without affecting other apps in the same tenant.
3. Allowed Domains
Apps can store up to three allowed domains as security metadata.
Typical usage:
| Slot | Recommended Use |
|---|
allowed_domain_1 | Production, for example myapp.com |
allowed_domain_2 | Staging, for example staging.myapp.com |
allowed_domain_3 | Local development, for example localhost:3000 |
- protocols are stripped
- trailing slashes are removed
- wildcards are rejected
localhost with a valid port is allowed
When configured, these values are included in the app’s access token as claims.
4. Plan And Usage Protection
Plans control the usage limits attached to an app.
- if no plan is assigned, the app can still obtain a token, but the
limits claim is omitted
- if a usable plan is assigned, the token includes usage limits
- if a retired plan is assigned, token issuance is blocked
For tenant-facing docs, usage should be understood as Document Units.
TrueParser protects the platform with runtime and traffic controls.
Rate Limiting
Rate limiting helps protect sensitive endpoints from abuse and accidental overload.
- authentication and other sensitive endpoints are protected by request limits
- clients should avoid unnecessary token requests
- clients should reuse access tokens until renewal is needed
Resource Guard
TrueParser also monitors runtime resource pressure to protect platform stability.
- the platform monitors service health and resource pressure
- during overload conditions, requests may be slowed, deferred, or rejected
- this helps preserve stability for all tenants sharing the platform
6. Credential Handling
Treat the app secret as a sensitive backend credential.
- the plaintext
client_secret is shown once when the app is created
- if the secret is regenerated, the new plaintext secret is shown once for that regeneration event
- regenerating a secret invalidates the old one
- store secrets in your own secure secret manager
7. Auditability
Security-sensitive operations should be treated as operational events.
- tenant and app lifecycle changes affect access behavior
- credential rotation and plan changes should be tracked in your own operational process
- if access behavior changes unexpectedly, verify app status, tenant status, plan status, and secret validity first
