OIDC / OAuth2 Authentication
TagFinder uses Keycloak as its identity provider. All authentication follows the OpenID Connect (OIDC) standard with OAuth2 authorization.
PKCE flow for web and mobile
The frontend uses the Authorization Code flow with PKCE (Proof Key for Code Exchange). This is the most secure flow for browser-based applications. No client secret is exposed in the browser.
API keys for automation
For machine-to-machine integration (scripts, CI/CD, third-party systems), TagFinder supports API key authentication. API keys are scoped to a specific organization and can be revoked at any time.
SSO for enterprise
Enterprise customers can connect their own identity provider (Azure AD, Okta, Google Workspace) via SAML or OIDC federation. Users sign in with their existing corporate credentials. No separate password to manage.
All tokens are short-lived (15 minutes) with refresh token rotation. Session management is handled entirely by Keycloak.