ADR-011: API Security Mode Selection β mTLS / OAuth2 / Hybrid
Metadataβ
| Field | Value |
|---|---|
| Status | β Accepted |
| Date | 11 January 2026 |
| Linear | CAB-410 |
Contextβ
STOA Gateway must support multiple API security modes depending on usage contexts. Rather than letting teams guess, we formalize a Decision Tree that automatically recommends the right mode.
Options Consideredβ
| Option | Description | Verdict |
|---|---|---|
| mTLS only | Client certificate authentication | β For CORE internal APIs |
| OAuth2 only | JWT tokens with scopes | β For SELF-SERVICE APIs |
| mTLS + OAuth2 | Dual authentication | β For critical exposed APIs |
| API Key only | Static secret | β οΈ Community tier only |
Decisionβ
Implement an automated Decision Tree to recommend the optimal API security mode.
Decision Treeβ
βββββββββββββββββββββββ
β Consumer type? β
ββββββββββββ¬βββββββββββ
β
ββββββββββββββββββ΄βββββββββββββββββ
β β
[Internal] [External]
β β
βΌ βΌ
βββββββββββββββββββ βββββββββββββββββββ
β Flow type? β β OAuth2 requiredβ
ββββββββββ¬βββββββββ ββββββββββ¬βββββββββ
β β
ββββββββββ΄βββββββββ β
β β βΌ
[A2A] [User] βββββββββββββββββββ
β β β Critical domain?β
β βΌ ββββββββββ¬βββββββββ
β OAuth2 required β
βΌ ββββββββββ΄βββββββββ
βββββββββββββββββββ β β
βCritical domain? β [Yes] [No]
ββββββββββ¬βββββββββ β β
β βΌ βΌ
ββββββ΄βββββ ββββββββββββββββ ββββββββββββββββ
β β β mTLS + OAuth2β β OAuth2 only β
[Yes] [No] β (HYBRID) β β(SELF-SERVICE)β
β β ββββββββββββββββ ββββββββββββββββ
βΌ βΌ
ββββββββββ ββββββββββββββ
β mTLS β β OAuth2 or β
β (CORE) β β mTLS per β
ββββββββββ β governance β
ββββββββββββββ
Decision Rulesβ
| Case | Conditions | Recommended Mode |
|---|---|---|
| π’ CORE | Internal + A2A + Critical + Stable rights | mTLS |
| π΅ SELF-SERVICE | External + User/BFF + DX priority | OAuth2 |
| π£ HYBRID | Critical + External + Strong governance | mTLS + OAuth2 |
Consequencesβ
Positiveβ
- Automatic and consistent recommendation
- Reduced security configuration errors
- Documented decisions for audit
Negativeβ
- Additional tooling complexity
- Learning curve for teams
Neutralβ
- Teams can deviate with documented justification
MCP Tool: security-advisorβ
// Input
{
"consumer_type": "internal | external",
"flow_type": "a2a | user",
"rights_variability": "static | dynamic",
"domain_criticality": "low | high",
"governance_level": "basic | strong"
}
// Output
{
"recommended_security_mode": "mTLS | OAuth2 | mTLS+OAuth2",
"justification": ["Critical domain", "Internal A2A flow"],
"risk_level": "low | medium | high",
"implementation_notes": ["Short-lived client cert", "ABAC policy"]
}
Referencesβ
- CAB-410: Decision Tree Implementation
- CAB-361: OAuth2/OIDC Enterprise
- ADR-015: Sender-Constrained Tokens (planned)