# Claim envelope for a hub-to-hub service account (client_credentials
# grant). Profile-required `service` role, scoped tightly to the
# operation it performs. No preferred_username (service identities are
# named after the service and environment per the profile).
#
# Reference: NetKingdom IAM Profile v0.1 §"Service Account Flow" and
# §"Hub-to-Hub Service Account Pattern".

iss: https://sso.netkingdom.example/realms/netkingdom
sub: svc-markitect-tool-prod
aud:
  - flex-auth
exp: 4102444800
iat: 1767225600
azp: svc-markitect-tool-prod
client_id: svc-markitect-tool-prod
scope: hub:read hub:capability
roles:
  - service
  - operator