# Claim envelope for a hub-to-hub service account (client_credentials
# grant). Profile-required `service` role, scoped tightly to the
# operation it performs. No preferred_username (service identities are
# named after the service and environment per the profile).
#
# Reference: NetKingdom IAM Profile v0.2 "Service Account Flow".

iss: https://sso.netkingdom.example/realms/netkingdom
sub: svc-markitect-tool-prod
aud:
  - flex-auth
exp: 4102444800
iat: 1767225600
tenant: tenant:platform
principal_type: service
azp: svc-markitect-tool-prod
client_id: svc-markitect-tool-prod
scope: hub:read hub:capability
roles:
  - service
  - operator
groups: []
assurance:
  level: aal1
  methods:
    - client_secret
  mfa: false
  source: keycloak
  at: 1767225600