# StellaOps Registry Token Service

Registry Token Service issues short-lived Docker registry bearer tokens for private or mirrored registries.
It exchanges an Authority-issued access token for a registry-compatible JWT after enforcing plan/licence constraints.

## Responsibilities

- Validate Authority-issued caller identity and required scopes (default `registry.token.issue`).
- Authorize requested repository scopes against a local plan catalogue (`stellaops:plan` claim + configured rules).
- Block issuance for revoked licences (`stellaops:license` claim + configured deny list).
- Mint registry tokens with a bounded lifetime (default 5 minutes) signed by a local RSA key.

## Key endpoints

- `GET /token` - Docker registry token exchange endpoint.
- `GET /healthz` - liveness probe.

## Code locations

- Service: `src/Registry/StellaOps.Registry.TokenService`
- Tests: `src/Registry/__Tests/StellaOps.Registry.TokenService.Tests`

## Configuration

- File: `etc/registry-token.yaml`
- Environment variables: `REGISTRY_TOKEN_*`

## Related docs

- Architecture: `docs/modules/registry/architecture.md`
- Operations: `docs/modules/registry/operations/token-service.md`