> For the complete documentation index, see [llms.txt](https://docs-launchpad.energyweb.org/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs-launchpad.energyweb.org/energy-solutions/digital-spine-by-energy-web/component-guides/ddhub-client-gateway/technical-guide/authentication-and-authorization.md).

# Authentication and Authorization

## Overview

The Client Gateway offers **flexible user authentication**, allowing enterprises to decide whether to enable or bypass user-specific authentication based on their operational requirements.

For organizations choosing to implement user authentication, the Client Gateway supports two primary user scopes:

1. **Admin Scope**
   * Provides full access to the configuration and management of the Client Gateway.
   * Admins can define message topics, manage storage, monitor scheduled tasks, and configure security settings.
   * They are responsible for maintaining the overall operation and performance of the CGW.
2. **Message Scope**
   * Limited to sending, receiving, and processing messages through the Client Gateway.
   * Users with this scope can interact with defined message topics but do not have access to system configuration or administrative tasks.

The Client Gateway uses a [**Self-Sovereign Identity (SSI)**](/energy-solutions/digital-spine-by-energy-web/component-guides/self-sovereign-identities/ssi-hub.md) key called a [**DID (Decentralized Identifier)**](/core-concepts/decentralized-identifiers-dids.md) to securely represent the gateway itself rather than individual users. Operational roles for the gateway are directly encoded in the DID.

***

## User Guide

### Pre-requisites

* An environment suitable to deploy a fresh Client Gateway
* A DID with roles assigned through [Deploy Switchboard](/energy-solutions/digital-spine-by-energy-web/component-guides/self-sovereign-identities/deployment-guide/deploy-switchboard.md)
* A deployed [Key Vault](/energy-solutions/digital-spine-by-energy-web/component-guides/ddhub-client-gateway/deployment-guide/key-vault.md) to store secrets

### Setting up user authentication

To enable user authentication, the Client Gateway must be deployed with the following environment variables:

```
ENV_1=
ENV_2=
```

User credentials can then be stored manually in the deployed Key Vault.

### Assigning a DID

Once an `Admin` scoped user logs into a fresh Client Gateway, there will be a form field to assign a DID to it. Once submitted, the backend service will sync all roles for the identity.

<figure><img src="/files/R3ipMkaIfFCkoRpRPFS3" alt="" width="375"><figcaption><p>Enter private key</p></figcaption></figure>

<figure><img src="/files/klWuNIz1lsB20eCcW3FJ" alt="" width="375"><figcaption><p>Checking identity</p></figcaption></figure>

### Re-assigning a new DID

In the overview section of the Client Gateway, there is a section to manage the currently assigned DID. Press the button as shown below to clear the current DID in order to assign a new one.

<figure><img src="/files/Pfsg7IfCBbvvT4MS3LhS" alt=""><figcaption><p>Update DID</p></figcaption></figure>

<figure><img src="/files/lBKUbxTbdwuPUEZHan8M" alt="" width="375"><figcaption><p>Confirm reset private key</p></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs-launchpad.energyweb.org/energy-solutions/digital-spine-by-energy-web/component-guides/ddhub-client-gateway/technical-guide/authentication-and-authorization.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.