Anatomy of a Service

These layers are not produced by the registry today and must be handled separately — they are the usual cause of a "builds but won't run" service. Closing these automation gaps (driving certs, IAM permissions, and teardown from the registry) is tracked in Automate new service registration:

• IAM role permissions — the NATS permission grants (ores_iam_role_permissions_assign_fn(... '<role>', '<domain>::<action>')) are hand-maintained in projects/ores.sql/populate/iam/iam_roles_populate.sql. The registry creates the account and the role, but not what the role may do. A service with an account but no relevant permission gets a forbidden reply from every endpoint it calls.
• Controller service definition — the launch list lives in the DB table ores_controller_service_definitions_tbl, seeded from projects/ores.sql/populate/controller/controller_service_definitions_populate.sql and managed by the ores.controller.core service registry/lifecycle controller. A service absent here is never started; a service present here but crashing is restarted forever (restart_policy = always).
• NATS mTLS certs — each service needs a client cert (build/keys/nats/ores.<name>.service.crt/.key) trusted by the NATS server, generated by the certs tooling driven from SERVICE_NAMES.

ores::service::service::run builds an optional JWT verifier for the service. Each handler calls make_request_context(base_ctx, msg, verifier) (ores.service/service/request_context). The rule:

• If the service has no verifier, requests run as base_ctx (unauthenticated access is allowed).
• If the service has a verifier, the request must carry an Authorization: Bearer <jwt> header (or an X-Delegated-Authorization header). Absence ⇒ unauthorized; a token lacking the required permission ⇒ forbidden (handlers gate writes with has_permission(ctx, "<perm>")).

The validated token also carries the tenant, and make_request_context applies X-Workspace-Id / X-Workspace-Resolution headers to scope the request — see Multi-Tenancy Architecture.

A service that calls another service must present a token. Two mechanisms (see Service-to-Service JWT Delegation and the IAM client, ores.iam.client):

1. Mint its own service token — for calls a service initiates itself (e.g. startup bootstrap, a background feed). Wrap the raw client:

   ores::nats::service::nats_client svc_nats(
       nats,
       ores::iam::client::make_service_token_provider(
           nats, cfg.database.user, cfg.database.password()));
   auto reply = svc_nats.authenticated_request(subject, json);
   

   The provider authenticates with the service's own database account credentials against IAM (ores.iam.core) and caches/refreshes the JWT, renewing proactively before expiry per JWT Token Refresh: Configurable Lifetimes, Proactive Renewal. This is why the IAM account and its permissions must both exist.

2. Delegate the caller's token — for work done on behalf of an end user inside a handler. Forward the original JWT:

   auto downstream = svc_nats.with_delegation(extract_bearer(msg));
   

   This injects X-Delegated-Authorization: Bearer <token>, which make_request_context validates as the user's full identity.

A rejecting handler does not return a normal response. It calls error_reply, which publishes an empty body with an X-Error header whose value is one of unauthorized, forbidden, bad_request, token_expired. A caller that blindly decodes the reply as its expected response type gets an opaque "decode error" — the classic symptom of an unauthenticated call.

Typed clients must therefore inspect X-Error and surface a real error. The nats_client service path only auto-retries token_expired (after a forced token refresh); unauthorized / forbidden are returned to the caller as the X-Error reply for the typed client to translate. The marketdata client (ores::marketdata::client::market_data_client) is the reference pattern: check reply.headers["X-Error"] first, map it to a descriptive std::unexpected(...), and only decode the body when no error header is present.