Four doors, four locks: the authentication architecture
RESP, gRPC, REST, and the dashboard each get auth that fits their use — constant-time tokens for the data plane, RBAC for the control plane, mandatory locks past loopback.
A system with four protocol surfaces needs four deliberate auth answers, not one stretched thin. Crowkis's data plane — RESP and gRPC — takes a bearer token compared in constant time, the right primitive for high-frequency machine traffic: fast, simple, immune to timing side-channels on the comparison.
The control plane earns richer machinery, because humans and automation share it with different privileges: admin keys, hashed multi-user API keys, and sessions, with endpoints gated by role — readers read, writers mutate, admins administer. Dashboard metrics and the live feed sit behind the same gates, because operational telemetry is sensitive data wearing a graph.
One file to security-review. No supply chain to poison.
The binding rule ties it together: any non-loopback bind makes control-plane auth mandatory automatically, so the gap between 'deployed' and 'secured' — where most real-world incidents live — doesn't exist. Local development stays frictionless on loopback; production stays locked by default.
The bottom line
Enterprise grafts your identity provider on top via SSO/SAML/OIDC, making Okta offboarding equal Crowkis offboarding. Four doors, four locks, one rule: the easy path is the safe one.