ADR-0035 — Machine identity: service accounts + scoped, hashed API keys

V1 Freeze (2026-06-12): Deferred. No workload-identity fleet in V1. Re-opens at P4.

Context

BitVault must authenticate non-human callers — automation, CLIs, third-party integrations, and “BitVault-as-a-backend” apps. Doing this with shared user passwords or long-lived god-tokens is a common source of breaches (leaked keys, no rotation, no attribution, over-broad scope). We need first-class machine identity with least privilege and auditability.

Decision

Consequences

Positive

Negative / costs

Alternatives considered

Scaling

Keyid-indexed hashed lookup is O(1); scopes evaluated by the PDP (ADR-0010); per-tenant key namespaces; stale-key reaping via last-used.