Roles and Access Control

TrustMint is a headless backend service — it has no UI of its own. It provides REST APIs (api.flexgalaxy.com/entitlements/v1/...) that are consumed by multiple frontend apps and external partner systems.

This document describes the role model, permission boundaries, approval workflow delegation, and the frontend apps that consume TrustMint APIs.

Roles

Role

Responsibility

Access Method

Device Manufacturer

Provisions devices, enrolls them into the platform, manages device inventory

ThingHub (console.flexgalaxy.com/thinghub/) + API

License Manager (optional)

Intercepts the approval workflow to review and approve OFFICIAL license requests

External app built by the partner, consuming FlexGalaxy APIs

License Issuer

Issues software licenses on demand, manages device enrollment at platform level

FlexGalaxy.AI platform (TrustMint service itself)

A single account may hold both the Device Manufacturer and License Manager roles.

The License Manager role is optional — it is an external partner (e.g. WHITE) that subscribes to TrustMint webhooks and inserts itself into the approval workflow. Without a license manager, the platform handles approvals directly (see Approval Workflow Delegation below).

Permission Boundary Model

TrustMint uses auto-provisioned permission boundaries. When an account subscribes to TrustMint and declares its role(s), the platform automatically assigns the appropriate permission boundaries — no manual setup required for the common case.

Account subscribes to TrustMint
     │
     ├── Declares role: Device Manufacturer
     │     └── Auto-assign: devices.read, devices.write, events.read, certificates.read
     │
     ├── Declares role: License Manager
     │     └── Auto-assign: approvals.read, approvals.write, devices.read, licenses.read
     │
     └── Declares both roles
           └── Auto-assign: union of both permission sets

Permission boundaries map to DotID’s policy-based access control model — each role declaration triggers assignment of the corresponding managed policy set. No RBAC entity is needed; the “role” is just a label that determines which policies apply.

Platform administrators can override permission boundaries manually for edge cases.

IAM Separation

TrustMint does not handle identity or access management:

  • Access keys and secret keys are created and managed by users in a self-service manner through AdminCenter (console.flexgalaxy.com/admincenter/), specifically the Service Users page.

  • Authentication is handled by Keycloak — TrustMint is a pure OAuth2 Resource Server.

  • Authorization policies are managed centrally by the platform IAM service.

This separation ensures that IAM concerns remain centralized, and TrustMint focuses solely on license lifecycle management.

Approval Workflow Delegation

The license approval workflow supports configurable delegation. The license manager role is an optional intermediary — the platform works with or without one.

Scenario

TRIAL License

OFFICIAL License

No license manager configured

Auto-approve (platform issues automatically)

Auto-approve OR platform admin reviews via BoardingPass

License manager registered (e.g. WHITE)

Auto-approve (platform issues automatically)

Webhook → partner’s external app → decision callback via API

When a license manager partner registers a webhook subscriber for an account, they intercept the license_upgrade.requested event and call back with a decision. This is a delegation of the approval authority — the partner builds their own approval UI using FlexGalaxy APIs.

When no webhook subscriber is registered, the platform handles it directly:

  • TRIAL requests are always auto-approved

  • OFFICIAL requests are either auto-approved (based on applet triage category) or queued for platform admin review in BoardingPass

OFFICIAL license request arrives
     │
     ├── Webhook subscriber registered?
     │     │
     │     ├── YES → Send license_upgrade.requested webhook
     │     │         Partner reviews in their own app
     │     │         Partner calls POST /.../decision
     │     │
     │     └── NO  → Queue for platform admin
     │               Admin reviews in BoardingPass
     │               Admin approves/refuses
     │
     └── Decision received
           ├── APPROVE → Issue certificate + JWT, update subscription
           └── REFUSE  → Mark as refused

Tenant and Platform Tools

ThingHub

URL:

console.flexgalaxy.com/thinghub/

KC Client:

thinghub

Audience:

Device manufacturers, license managers

ThingHub is the unified tenant app for the full device lifecycle — enrollment, licensing, and software updates. It consolidates these tightly coupled concerns into a single app with tab-based navigation.

Tabs:

  • Devices — Enrollment (single and batch), device inventory with status and metadata, enrollment history and provisioning events. Enrolling a device triggers automatic TRIAL license issuance in TrustMint.

  • Licenses — View all issued licenses (TRIAL, OFFICIAL) with status and expiration, request license upgrades (TRIAL to OFFICIAL), track approval status (PENDING, APPROVED, REFUSED), certificate and token details.

  • Updates (OTA) — Software update management, rollout status, update history.

Enrollment flow:

Manufacturer enrolls device in ThingHub (Devices tab)
     │
     ├── TrustMint creates device record
     ├── Auto-issues TRIAL license (X.509 cert + JWT token)
     ├── Records issuance in license ledger
     ├── Sends device.provisioned webhook (if subscriber registered)
     │
     └── Manufacturer views license in ThingHub (Licenses tab)

BoardingPass

URL:

stargate.flexgalaxy.com/boardingpass

KC Client:

boardingpass (master realm)

Audience:

Platform administrators

BoardingPass is the platform admin’s window into the licensing world. It provides cross-account visibility into all license operations and serves as the fallback approval UI when no external license manager is configured.

Key features:

  • License issuance analytics (by type, by account, over time)

  • Device enrollment statistics across all accounts

  • Usage trends and capacity planning

  • Fallback approval workflow for OFFICIAL licenses (when no webhook subscriber)

  • Platform-wide license audit trail

BoardingPass is separate from SuperCrew because SuperCrew focuses on IAM administration, while BoardingPass focuses on licensing operations.

DeckLoader

URL:

stargate.flexgalaxy.com/deckloader

KC Client:

deckloader (master realm)

Audience:

Platform administrators

DeckLoader is the platform admin’s tool for device management across all accounts. While ThingHub gives tenants a view of their own devices, DeckLoader provides platform-wide visibility and control.

Key features:

  • Cross-account device inventory and search

  • Device status monitoring across all tenants

  • Platform-wide enrollment statistics

  • Device lifecycle management (suspend, revoke, transfer)

Tool Summary

Tool

Gateway

Audience

Responsibility

ThingHub

Console

Tenants

Device lifecycle: enrollment, licenses, OTA updates

AdminCenter

Console

Tenants

IAM self-service: users, groups, policies, access keys

DeckLoader

StarGate

Platform admins

Platform-wide device management across all accounts

BoardingPass

StarGate

Platform admins

License analytics, fallback approval, audit

SuperCrew

StarGate

Platform admins

IAM platform administration, permission boundary overrides