Authentication
RCAN uses JWT tokens for secure, role-based robot access.
JWT Token Structure
{
"sub": "550e8400-e29b-41d4-a716-446655440000",
"iss": "continuon.cloud",
"aud": "rcan://continuon.cloud/continuon/companion-v1/*",
"role": "owner",
"scope": ["control", "config", "training"],
"fleet": ["d3a4b5c6", "a1b2c3d4"],
"exp": 1735689600,
"iat": 1735603200
}Token Claims
| Claim | Description |
|---|---|
sub | Subject - user identifier (UUID) |
iss | Issuer - registry that issued the token |
aud | Audience - target robot(s) or fleet pattern |
role | Access role level (creator/owner/leasee/user/guest) |
scope | Permitted actions |
fleet | Device IDs this token can access |
exp | Expiration timestamp (Unix) |
iat | Issued-at timestamp (Unix) |
Role Hierarchy
5
CREATOR
Full control, OTA updates, safety overrides
4
OWNER
Configuration, skill installation, user management
3
LEASEE
Time-bound operational control
2
USER
Operational control within allowed modes
1
GUEST
Limited interaction, status viewing
Rule: Higher roles inherit all permissions of lower roles.
Scopes
| Scope | Permission |
|---|---|
status | Read robot status and diagnostics |
control | Send movement/action commands |
config | Modify robot configuration |
training | Upload skills and behaviors |
admin | Manage users and permissions |
Audience Patterns
# Specific robot
rcan://continuon.cloud/continuon/companion-v1/d3a4b5c6
# All robots of a model
rcan://continuon.cloud/continuon/companion-v1/*
# All robots from a manufacturer
rcan://continuon.cloud/continuon/*/*
# Fleet by device IDs (use fleet claim instead)
"fleet": ["d3a4b5c6", "a1b2c3d4", "e5f6g7h8"]Token Validation
Robots validate tokens by:
- Verifying signature against issuer's public key
- Checking expiration (
exp) - Matching audience to self (
aud) - Confirming role has required scope
Timeout Enforcement: Control sessions expire. Clients must explicitly renew tokens. This prevents stale sessions from maintaining control indefinitely.