# Authentication and Authorization

## Overview

The Client Gateway offers **flexible user authentication**, allowing enterprises to decide whether to enable or bypass user-specific authentication based on their operational requirements.

For organizations choosing to implement user authentication, the Client Gateway supports two primary user scopes:

1. **Admin Scope**
   * Provides full access to the configuration and management of the Client Gateway.
   * Admins can define message topics, manage storage, monitor scheduled tasks, and configure security settings.
   * They are responsible for maintaining the overall operation and performance of the CGW.
2. **Message Scope**
   * Limited to sending, receiving, and processing messages through the Client Gateway.
   * Users with this scope can interact with defined message topics but do not have access to system configuration or administrative tasks.

The Client Gateway uses a [**Self-Sovereign Identity (SSI)**](/energy-solutions/digital-spine-by-energy-web/component-guides/self-sovereign-identities/ssi-hub.md) key called a [**DID (Decentralized Identifier)**](/core-concepts/decentralized-identifiers-dids.md) to securely represent the gateway itself rather than individual users. Operational roles for the gateway are directly encoded in the DID.

***

## User Guide

### Pre-requisites

* An environment suitable to deploy a fresh Client Gateway
* A DID with roles assigned through [Deploy Switchboard](/energy-solutions/digital-spine-by-energy-web/component-guides/self-sovereign-identities/deployment-guide/deploy-switchboard.md)
* A deployed [Key Vault](/energy-solutions/digital-spine-by-energy-web/component-guides/ddhub-client-gateway/deployment-guide/key-vault.md) to store secrets

### Setting up user authentication

To enable user authentication, the Client Gateway must be deployed with the following environment variables:

```
ENV_1=
ENV_2=
```

User credentials can then be stored manually in the deployed Key Vault.

### Assigning a DID

Once an `Admin` scoped user logs into a fresh Client Gateway, there will be a form field to assign a DID to it. Once submitted, the backend service will sync all roles for the identity.

<figure><img src="/files/R3ipMkaIfFCkoRpRPFS3" alt="" width="375"><figcaption><p>Enter private key</p></figcaption></figure>

<figure><img src="/files/klWuNIz1lsB20eCcW3FJ" alt="" width="375"><figcaption><p>Checking identity</p></figcaption></figure>

### Re-assigning a new DID

In the overview section of the Client Gateway, there is a section to manage the currently assigned DID. Press the button as shown below to clear the current DID in order to assign a new one.

<figure><img src="/files/Pfsg7IfCBbvvT4MS3LhS" alt=""><figcaption><p>Update DID</p></figcaption></figure>

<figure><img src="/files/lBKUbxTbdwuPUEZHan8M" alt="" width="375"><figcaption><p>Confirm reset private key</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs-launchpad.energyweb.org/energy-solutions/digital-spine-by-energy-web/component-guides/ddhub-client-gateway/technical-guide/authentication-and-authorization.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.