Backend Services

If you are building a CI-related service, it is sensible to design it to accept Taskcluster credentials for authentication to its API methods.

This is quite simple: call auth.authenticateHawk from your backend with the appropriate parts of the HTTP request. Then verify that the returned scopes satisfy the scopes required for the operation being protected. There is no need to "register" the scopes you would like to use, but see the namespaces document for guidance on selecting appropriate names.

The advantage of this approach is that it facilitates service re-use: anyone who is familiar with Taskcluster APIs can call your API, whether from a task, the command line, the browser, or another service. Furthermore, the backend never sees the credentials, just the Hawk signature.

If you build a user interface around this approach, it is safe to display the clientId to the user so they can recognize the login. Just be cautious of the warning in the guidelines section regarding using clientIds for authentication.