CycloneDX
diff --git a/‎api-flow/consumer.md‎
Lines changed: 41 additions & 2 deletions b/‎api-flow/consumer.md‎
Lines changed: 41 additions & 2 deletions
diff --git a/‎doc/authentication.md‎
Lines changed: 97 additions & 0 deletions b/‎doc/authentication.md‎
Lines changed: 97 additions & 0 deletions
diff --git a/‎doc/authorization.md‎
Lines changed: 98 additions & 0 deletions b/‎doc/authorization.md‎
Lines changed: 98 additions & 0 deletions
@@ -23,8 +23,18 @@ Component Release) to find the list of artefacts for the particular Product Rele
 ## API flow based on TEI discovery
 
 ```mermaid
-
 ---
+config:
+  sequence:
+    diagramMarginX: 60
+    diagramMarginY: 40
+    actorFontSize: 20
+    actorFontWeight: bold
+    noteFontSize: 18
+  theme: neo dark
+  layout: elk
+  look: neo
+
 title: TEA consumer flow
 ---
 sequenceDiagram
@@ -60,7 +70,6 @@ sequenceDiagram
         user ->> tea_component_release: Obtain latest collections
         tea_component_release -->> user: List of TEA Artifacts
     end
-
 ```
 
 ## API flow based on direct access to API
@@ -70,6 +79,16 @@ In this case, the client wants to search for a specific product release using th
 ```mermaid
 
 ---
+config:
+  sequence:
+    diagramMarginX: 60
+    diagramMarginY: 40
+    actorFontSize: 20
+    actorFontWeight: bold
+    noteFontSize: 18
+  theme: neo dark
+  layout: elk
+  look: neo
 title: TEA client flow with search
 ---
 
@@ -109,6 +128,16 @@ for a release.
 ```mermaid
 
 ---
+config:
+  sequence:
+    diagramMarginX: 60
+    diagramMarginY: 40
+    actorFontSize: 20
+    actorFontWeight: bold
+    noteFontSize: 18
+  theme: neo dark
+  layout: elk
+  look: neo
 title: TEA client flow with direct query for release
 ---
 
@@ -137,6 +166,16 @@ another query is done to get reason for update and new collection list of artefa
 ```mermaid
 
 ---
+config:
+  sequence:
+    diagramMarginX: 60
+    diagramMarginY: 40
+    actorFontSize: 20
+    actorFontWeight: bold
+    noteFontSize: 18
+  theme: neo
+  layout: elk
+  look: neo
 title: TEA client collection query
 ---
 
 
@@ -0,0 +1,97 @@
+# Authentication
+
+The Transparency Exchange API (TEA) supports two primary authentication mechanisms: Bearer Token authentication and Mutual TLS (mTLS) authentication. Implementations MUST support at least one of these mechanisms, and SHOULD support both for maximum compatibility.
+
+## Bearer Token Authentication
+
+Bearer token authentication uses JSON Web Tokens (JWTs) issued by an external identity provider. This is the recommended authentication mechanism for most use cases.
+
+### Token Acquisition
+
+Tokens are acquired out-of-band from the TEA server. The exact process depends on the service provider's identity management system, but typically involves:
+
+1. User or service authenticates with the provider's portal or API
+2. Provider issues a short-lived JWT (recommended: < 1 hour)
+3. Client includes the token in API requests
+
+### Token Format
+
+Tokens MUST be valid JWTs conforming to RFC 7519. The token payload SHOULD include:
+
+- `iss`: Issuer identifier
+- `sub`: Subject (user or service identifier)
+- `aud`: Audience (TEA server identifier)
+- `exp`: Expiration time
+- `iat`: Issued at time
+- `scope`: Space-separated list of authorized scopes
+
+### Request Format
+
+Include the token in the `Authorization` header:
+
+```
+Authorization: Bearer <token>
+```
+
+### Token Validation
+
+Servers MUST validate:
+
+- Token signature using the issuer's public key
+- Token expiration (`exp` claim)
+- Token audience (`aud` claim)
+- Required scopes for the operation
+
+## Mutual TLS Authentication
+
+Mutual TLS authentication uses client certificates for mutual authentication between client and server.
+
+### Certificate Requirements
+
+- Client certificates MUST use ECDSA P-384 or Ed25519 algorithms
+- Certificates MUST be issued by a trusted Certificate Authority (CA)
+- Certificate Subject Alternative Name (SAN) MUST include the client identifier
+
+### TLS Configuration
+
+- Minimum TLS version: 1.3
+- Server MUST request client certificates
+- Server MUST validate certificate chain
+- Client MUST present valid certificate
+
+### Authorization Mapping
+
+The client certificate's subject or SAN is mapped to TEA identities and scopes through server-side configuration.
+
+## Authentication Flow
+
+```mermaid
+sequenceDiagram
+    participant Client
+    participant TEA Server
+    participant IdP
+    
+    alt Bearer Token
+        Client->>IdP: Acquire token
+        IdP-->>Client: JWT token
+        Client->>TEA Server: Request + Authorization: Bearer <token>
+        TEA Server->>TEA Server: Validate token
+    else mTLS
+        Client->>TEA Server: TLS handshake with client cert
+        TEA Server->>TEA Server: Validate certificate
+    end
+    
+    TEA Server-->>Client: Authenticated response
+```
+
+## Error Responses
+
+- `401 Unauthorized`: Missing or invalid credentials
+- `403 Forbidden`: Valid credentials but insufficient permissions
+
+## Security Considerations
+
+- Tokens SHOULD be short-lived (< 1 hour)
+- mTLS certificates SHOULD have short validity periods
+- Implement token revocation mechanisms
+- Log authentication failures for security monitoring
@@ -0,0 +1,98 @@
+# Authorization
+
+The Transparency Exchange API (TEA) uses a scope-based authorization model. Permissions are granted through scopes assigned to authenticated identities. Scopes follow a hierarchical structure with read operations generally requiring fewer permissions than write operations.
+
+## Scope Model
+
+Scopes are granted to identities during authentication. Bearer tokens include scopes in the `scope` claim as a space-separated list. mTLS certificates are mapped to scopes through server configuration.
+
+### Scope Hierarchy
+
+```
+SCOPE_ADMIN_FULL (admin)
+├── SCOPE_PUBLISHER_* (publisher)
+│   ├── SCOPE_PUBLISHER_PRODUCTS_WRITE
+│   ├── SCOPE_PUBLISHER_COMPONENTS_WRITE
+│   ├── SCOPE_PUBLISHER_RELEASES_WRITE
+│   ├── SCOPE_PUBLISHER_ARTIFACTS_WRITE
+│   └── SCOPE_PUBLISHER_COLLECTIONS_WRITE
+└── SCOPE_CONSUMER_* (consumer)
+    ├── SCOPE_CONSUMER_PRODUCTS_READ
+    ├── SCOPE_CONSUMER_COMPONENTS_READ
+    ├── SCOPE_CONSUMER_COLLECTIONS_READ
+    ├── SCOPE_CONSUMER_ARTIFACTS_READ
+    ├── SCOPE_CONSUMER_ARTIFACTS_DOWNLOAD
+    └── SCOPE_CONSUMER_INSIGHTS_QUERY
+```
+
+## Consumer Scopes
+
+### Read Operations
+
+- `SCOPE_CONSUMER_PRODUCTS_READ`: List and retrieve product metadata
+- `SCOPE_CONSUMER_COMPONENTS_READ`: List and retrieve component metadata
+- `SCOPE_CONSUMER_COLLECTIONS_READ`: Access collection metadata and versions
+- `SCOPE_CONSUMER_ARTIFACTS_READ`: Retrieve artifact metadata
+- `SCOPE_CONSUMER_ARTIFACTS_DOWNLOAD`: Download artifact content
+- `SCOPE_CONSUMER_INSIGHTS_QUERY`: Execute CEL-based queries and searches
+
+## Publisher Scopes
+
+### Write Operations
+
+- `SCOPE_PUBLISHER_PRODUCTS_WRITE`: Create, update, delete products
+- `SCOPE_PUBLISHER_COMPONENTS_WRITE`: Create, update, delete components
+- `SCOPE_PUBLISHER_RELEASES_WRITE`: Create, update product/component releases
+- `SCOPE_PUBLISHER_ARTIFACTS_WRITE`: Upload and delete artifacts
+- `SCOPE_PUBLISHER_COLLECTIONS_WRITE`: Create and update collections
+
+## Admin Scopes
+
+### Administrative Operations
+
+- `SCOPE_ADMIN_FULL`: Full administrative access including user management, system configuration, and audit functions
+
+## Authorization Logic
+
+### API Endpoint Requirements
+
+| Endpoint                      | Required Scopes                     |
+| ----------------------------- | ----------------------------------- |
+| `GET /.well-known/tea`        | None (public)                       |
+| `GET /v1/discovery`           | None (public)                       |
+| `GET /v1/products*`           | `SCOPE_CONSUMER_PRODUCTS_READ`      |
+| `GET /v1/components*`         | `SCOPE_CONSUMER_COMPONENTS_READ`    |
+| `GET /v1/collections*`        | `SCOPE_CONSUMER_COLLECTIONS_READ`   |
+| `GET /v1/artifacts*`          | `SCOPE_CONSUMER_ARTIFACTS_READ`     |
+| `GET /v1/artifacts/*/content` | `SCOPE_CONSUMER_ARTIFACTS_DOWNLOAD` |
+| `POST /v1/insights/*`         | `SCOPE_CONSUMER_INSIGHTS_QUERY`     |
+| `POST /v1/publisher/*`        | Publisher scopes as above           |
+
+### Scope Validation
+
+Servers MUST validate that the authenticated identity possesses all required scopes for the requested operation. Missing scopes result in `403 Forbidden` responses.
+
+### Scope Granularity
+
+Scopes are intentionally coarse-grained to simplify implementation. Fine-grained access control (e.g., per-object permissions) is not supported in the base specification but may be implemented as extensions.
+
+## Authorization Flow
+
+```mermaid
+flowchart TD
+    A[Request] --> B[Authenticate]
+    B --> C{Valid Identity?}
+    C -->|No| D[401 Unauthorized]
+    C -->|Yes| E[Extract Scopes]
+    E --> F{Required Scopes?}
+    F -->|No| G[403 Forbidden]
+    F -->|Yes| H[Process Request]
+    H --> I[Response]
+```
+
+## Security Considerations
+
+- Implement least privilege: grant only necessary scopes
+- Regularly rotate credentials and review scope assignments
+- Audit authorization decisions for compliance
+- Consider scope expiration for temporary access