This is written on [[2026-07-06]], and may not be applicable in the future. The Lore team has plans to revisit their auth story.
# Overview
Lore uses [[JSON Web Tokens]] for authentication, but requires an external service to manage this. That external service is not part of their shipped infrastructure, so there's some missing pieces here. It's likely a hold-over from their internal server.
By default, Lore servers are completely public, readable and writable.
# Authentication Parts
Lore appears to have two parts to its authentication:
1. `lore-server` verification layer
2. Epic-internal `UrcAuthApi` [[gRPC]] service.
## Server Verification Layer
This is a pluggable layer within the server that takes a caller-supplied [[JSON Web Tokens|JWT]] and verifies it against the loaded [[JWKS]] file based on the [[KID]].
If `[server.auth.jwk]` is set, then this is supposed to perform verification on each service.
This does not support [[OIDC]].