This is written on [[2026-07-06]], and may not be applicable in the future. The Lore team has plans to revisit their auth story. # Overview Lore uses [[JSON Web Tokens]] for authentication, but requires an external service to manage this. That external service is not part of their shipped infrastructure, so there's some missing pieces here. It's likely a hold-over from their internal server. By default, Lore servers are completely public, readable and writable. # Authentication Parts Lore appears to have two parts to its authentication: 1. `lore-server` verification layer 2. Epic-internal `UrcAuthApi` [[gRPC]] service. ## Server Verification Layer This is a pluggable layer within the server that takes a caller-supplied [[JSON Web Tokens|JWT]] and verifies it against the loaded [[JWKS]] file based on the [[KID]]. If `[server.auth.jwk]` is set, then this is supposed to perform verification on each service. This does not support [[OIDC]].