Access Management Service

Access Management (IAM) is the multi-tenant control plane: it stores organizations, users, groups, applications, workspaces, and policy sets, authenticates every login, and answers the single question the rest of the platform depends on — what is this user entitled to run, and under which policy?

Function

Deployment modes

ModeHow it runsWhen to use
builtinInside the Gateway process (webstream.exe -gw); path-routed under /iam/* with direct method calls, no HTTP hop.Default. Single-server and small multi-server deployments.
standaloneIts own process: webstream.exe -am, HTTP on port 8090.Production separation of concerns; multiple gateways sharing one control plane.
externalGateway proxies to a standalone IAM on another server via accessManagement.url.Reserved: the gateway-side proxy is not yet fully implemented and currently returns 503.

Ports and endpoints

ListenerPortPurpose
HTTP (standalone only)accessManagement.httpPort (default 8090), bound to bindAddressThe /iam/* API and /admin/ static assets. In builtin mode there is no separate port — the gateway serves everything.

Message contracts

The IAM API (/iam/*)

EndpointMethodWhenPurpose
/iam/auth/loginPOSTEvery sign-inCredentials (or SSO assertion) → JWT bearer token used on all subsequent calls.
/iam/auth/meGETSession bootstrapCurrent user profile from the token.
/iam/users/{id}/entitlementsGETLogin and workspace-picker loadThe resolved entitlement tree: workspaces → applications → effective policy.
/iam/organisations|users|groups|applications|workspaces|policies…CRUDAdmin console operationsFull control-plane management API (also scriptable — see CLI Scripting Guide).
/iam/healthGETMonitoring{ success, data: { status, version, mode, authMode, database, timestamp } }

Session brokering (served by the gateway, backed by IAM)

EndpointMethodWhenPurpose
/gateway/session/selectPOSTWorkspace launchValidates the entitlement, acquires a workspace lease (concurrency slot), and stores the workspace contract that the gateway injects as X-Workspace-* / X-Policy-JSON headers.
/gateway/session/releasePOSTWorkspace endReleases the lease.
/gateway/session/statusGETReconnect preflightReports lease/session state. Routed requests carrying X-Session-ID also heartbeat the lease to keep it alive.

Downstream services never call IAM directly: the gateway resolves entitlements once at workspace selection and forwards the result as headers, so session hosts and streamers stay stateless with respect to the control plane. Via the gateway, the API is also reachable as /mcp/iam/* for the Ops MCP server (gated by X-MCP-Key).

Configuration

PropertyPurpose
accessManagement.modebuiltin, standalone, or external (see above).
accessManagement.httpPort / bindAddressStandalone listener (default 8090).
accessManagement.urlExternal IAM URL (external mode only).
accessManagement.databasePostgreSQL connection string + passwordRef for webstream_iam. See Persistence Layer.
accessManagement.session.maxConcurrentWorkspacesPerUserDefault concurrency cap (runtime overrides via /iam/session-limits).
accessManagement.authentication.modebuiltin, workgroup, or enterprise.
accessManagement.authentication.builtinsessionTimeout (default 12 h), passwordMinLength, lockoutThreshold, lockoutDurationSeconds. MFA is enabled per user via webstream.exe -enable-mfa <username>.
accessManagement.authentication.workgroup / enterpriseShared auth service URL + API key, or OAuth2/SAML/LDAP provider settings. See Identity & SSO.
accessManagement.auth.apiKeysService-to-service keys (defined but not currently enforced; security comes from network isolation).

Aligned settings on peer services