Admin Console
The IDToken Console is the operator dashboard for id3 Technologies staff and authorized partners. It provides centralized management of the IDToken authentication ecosystem.
Purpose
Section titled “Purpose”Without the console, all admin operations require raw API calls or direct database queries. The console replaces this with a professional, auditable interface for:
- Enrollment oversight and token revocation
- Real-time session monitoring
- Audit trail analysis and export
- Trust infrastructure health monitoring
- Operator management
Users and Roles
Section titled “Users and Roles”| Role | Permissions | Typical User |
|---|---|---|
| Super Admin | Full access: revoke tokens, manage operators, configure system | id3 platform team |
| Operator | Revoke tokens, view enrollments, view audit logs for own actions | id3 support staff, authorized partners |
| Auditor | Read-only: view enrollments, audit logs, analytics | Compliance officers, security reviewers |
All roles authenticate via IDToken itself (dogfooding) — operators enroll with their own VDS credential and are assigned admin roles.
Console Pages
Section titled “Console Pages”Dashboard (Home)
Section titled “Dashboard (Home)”Real-time operational overview with widgets:
| Widget | Data | Refresh |
|---|---|---|
| System health | GET /health | 30s poll |
| Auth success rate (24h) | Audit log aggregation | 5 min |
| Active sessions | Redis session count | 10s poll |
| Enrollments (total/active/revoked) | Database count | 5 min |
| Auth volume chart (7 days) | Time series | 5 min |
| Recent failures | AUTH_REJECT, VDS_VERIFY_FAIL events | Real-time WebSocket |
| VDS trust status | Trust cache TTL, cert expiry | 5 min |
A live session ticker shows AUTH_INITIATE, AUTH_APPROVE, AUTH_REJECT events in real time with color-coded status badges.
Enrollments
Section titled “Enrollments”- List view — sortable, filterable table: tokenId, deviceId, trustLevel, status, date
- Search — by tokenId (partial match) or deviceId
- Filters — trust level, status (active/revoked), date range
- Detail view — all enrollment fields, session history, audit trail, VDS metadata
- Revoke button — confirmation modal with reason picker (lost_device, compromised, expired_document, user_request)
- Bulk export to CSV
Auth Sessions
Section titled “Auth Sessions”- Live view — real-time feed of pending sessions (WebSocket), with countdown timers
- History view — paginated table, filterable by status, tokenId, date range, serviceId
- Detail view — full session lifecycle (initiated, approved/rejected/expired), timing, client info
Audit Log
Section titled “Audit Log”Searchable, read-only view of the immutable audit trail:
- Full-text search across event_type, tokenId, sessionId
- Multi-select event type filter
- Token and session drill-down (click any ID for full history)
- Timeline visualization for specific tokenIds
- Export filtered results to CSV
Event color coding:
| Color | Events |
|---|---|
| Green | ENROLL, AUTH_APPROVE, VDS_VERIFY_OK |
| Red | AUTH_REJECT, VDS_VERIFY_FAIL, REVOKE |
| Yellow | AUTH_EXPIRE, VDS_TEST_CERT |
| Blue | AUTH_INITIATE |
Trust Health
Section titled “Trust Health”Operational view of the VDS PKI trust infrastructure:
- Governance List — last fetch time, signature status, next refresh
- Scheme List — IAC, last fetch, TSL pointers, cache TTL
- TSL status — per-TSL: URL, last fetch, CA count, freshness
- Certificate inventory — cached signing certs with validity, expiry countdown, UsageList
- VRL status — last fetch, revoked VDS count, distribution point
- Alerts — cert expiring within 30 days (yellow), expired (red), stale trust list (warning)
Settings (Super Admin)
Section titled “Settings (Super Admin)”| Setting | Description |
|---|---|
| Operator management | Add/remove operators, assign roles |
| Rate limit tuning | Adjust auth/enroll rate limits at runtime |
| CORS origins | Manage allowed origins list |
| Trust cache | Force-refresh trust lists, clear certificate cache |
| Service Providers | Register SAML SPs, upload metadata, configure attribute mapping |
| System info | Server version, uptime, Node.js version, connected services |
Security
Section titled “Security”- No direct database access — all data flows through the auth server admin API
- HttpOnly cookies — admin JWT stored securely (SameSite=Strict)
- CSRF protection — Astro server endpoints validate the Origin header
- Role-based route guards — Astro middleware checks the JWT role claim
- Audit trail — all admin actions logged (ADMIN_REVOKE, ADMIN_OPERATOR_CREATE, etc.)
- No sensitive data in browser — OTP values, private keys, raw VDS payloads never sent to the console