# Authority

## Purpose
Issue short-lived OpTok tokens with DPoP or mTLS sender constraints.

## Inputs
- Client credentials, device code, or auth code
- Signing keys and JWKS configuration

## Outputs
- JWT access tokens with audience and scope claims
- JWKS and optional introspection responses

## Data and storage
- PostgreSQL for clients, roles, tenants
- Valkey for DPoP nonce and jti caches

## Key dependencies
- PostgreSQL
- Valkey
- Optional KMS or HSM

## Notes and boundaries
- Does not issue PoE
- Tokens are operational and short-lived

## Related docs
- docs/modules/authority/architecture.md