Identity, Roles & Permissions

AgriFoodData uses Keycloak / OpenID Connect as its identity layer. Every API call is authenticated by JWT; every resource carries fine-grained permissions.

Roles

Roles are defined per the ITU/FAO reference architecture. Typical roles:

Farmer — owns the farm twin and its operational data.
Service Provider — runs an AI service registered in the catalogue.
Sensor / Machinery Vendor — registers Things and Datastreams.
Certification Body — audits operations against agreed schemes.
Operator — runs a regional deployment of the platform.
Developer — builds against the APIs.

Permissions

Permissions are fine-grained, technically enforceable — not just contractual. A farmer can grant access to a single field, a single region, or a single datastream — and revoke it again at any time.

The clearing-house (Data Sovereignty) records every grant and revocation for auditability.

See it in action

Quickstart · Run your first AI service — service-account setup
API Reference · IAM endpoints

Roles​

Permissions​

See it in action​

Roles

Permissions

See it in action