Skip to content
Ascend GTM Ops — Docs

Clerk-style local JWT for tenant_auth — DEFERRED

ADR-014: Clerk-style local JWT for tenant_auth — DEFERRED

Status: Deferred explicitly Date: 2026-04-17 proposed, 2026-04-22 deferral formalized Deciders: Mishaal Murawala

Context

Clerk shipped JWT M2M tokens that verify locally using the instance’s public key, eliminating the network round-trip for auth validation. V5 currently uses KV hash lookup for tenant auth (~1ms per request).

Claim: for a batch_execute call chain hitting 8 APIs, replacing KV lookup with locally-verified JWT saves ~8ms per request.

Decision

Defer explicitly. Not in 2026 Q2. Revisit at >$5K/mo V5 spend OR 3+ active tenants.

Rationale

  1. KV lookup is already ~1ms. Current gateway overhead budget (≤10ms) has room.
  2. Migration cost exceeds savings at current scale. Rewriting tenant_auth validation + re-issuing tenant bearer tokens as signed JWTs + handling key rotation = ~1 week of engineering. Current savings: ~1ms per request × low request volume = minutes of CPU/year.
  3. JWT verification adds new failure modes (clock skew, key rotation, token revocation lag) that KV hash lookup doesn’t have. At single-tenant scale, the reliability cost isn’t justified.
  4. Opportunity cost. Same engineering time applied to ADR-016 Phase 1 has materially larger business impact.

Re-evaluation trigger

Revisit when ANY of:

  • V5 spend >$5K/mo — at that scale the per-request CPU cost shows up.
  • Active tenants ≥3 — per-tenant key rotation becomes a real ops load.
  • Observed p99 latency exceeds 20ms — worth optimizing.

Status

Won’t work on this in 2026. If 2027 brings one of the re-evaluation triggers, file ADR-014a.