# Identity Edge API

## Active External Protocol

- REST is the active external protocol for this BFF deployment.
- Internal service calls default to gRPC-adapted contracts.

## Entrypoints

- Canonical session endpoints:
  - `POST /api/identity/session/login`
  - `POST /api/identity/session/refresh`
  - `POST /api/identity/session/logout`
  - `GET /api/identity/session/me`
- Canonical OIDC endpoints:
  - `GET /api/identity/oidc/google/start`
  - `GET /api/identity/oidc/google/callback`
- Compatibility endpoint:
  - `POST /api/identity/token`
  - `POST /api/identity/login`
  - `POST /api/identity/token/refresh`
  - `POST /api/identity/logout`

## Boundary Notes

- Endpoint handlers perform edge validation and permission checks.
- Session login and refresh call canonical thalos-service session gRPC operations.
- OIDC start/callback handlers generate and validate PKCE/state/nonce payloads.
- Session cookies are managed at the BFF edge (`thalos_session`, `thalos_refresh`) with env-driven secure/domain policy.
- Token issuance and policy evaluation contracts remain available for compatibility calls.
- Business orchestration remains in thalos-service.
- Identity abstractions remain owned by Thalos repositories.