Skip to content
FedTrustFederated TrustDocs

Enter at least two characters.

Type to search all documentation pages and sections. Use ↑ ↓ to move, Enter to open, and Esc to close.

Platform statuses are part of the claim

Application ecosystem

License the app. Grant the data separately.

Federated Trust is designed for customers and partners that build software for their own teams, their customers, or a broader market. The governed publishing and installation path is not generally available yet. A commercial entitlement permits use of an app; it never silently authorizes access to tenant data.

Builders03 chapters
01

The application lifecycle has distinct decisions

Register and publish

A publisher identifies the application, its responsible party, release identity, requested integration surface, and declared data needs.

License or subscribe

A commercial relationship determines whether a tenant may install or use the software. It is an entitlement, not a data grant.

Install and consent

A tenant administrator evaluates requested access, creates or approves the tenant-specific application identity, and grants only the required authority.

Operate and revoke

Workload actions remain attributable, policy-bound, auditable, and independently revocable from the software license.

Application publishing, licensing, and tenant installation

The separate publisher, license, tenant installation, workload identity, consent, and data-grant lifecycle is designed; the governed mutation and release path is not generally available.

02

Internal and external apps use the same trust boundary

Customer-built

A business can build internal software without giving the publisher or platform operator standing access to its data.

Partner-built

A partner can distribute software across multiple customers while every installation receives its own tenant context and grants.

Publicly licensed

A broadly available app still receives access only after the installing tenant’s policy and consent decisions.

Application publishing, licensing, and tenant installation

The separate publisher, license, tenant installation, workload identity, consent, and data-grant lifecycle is designed; the governed mutation and release path is not generally available.

03

Applications consume governed interfaces

Customer control of the data plane does not mean every app receives raw database or query-language access.

Typed contracts

Applications integrate through versioned SDK, RPC, or API contracts that preserve authorization and validation boundaries.

Workload identity

Automation acts as an identified workload, optionally on behalf of a person, rather than borrowing a reusable human credential.

Resource-specific enforcement

The service holding the data verifies tenant, audience, action, and local policy before performing the operation.

Application publishing, licensing, and tenant installation

The separate publisher, license, tenant installation, workload identity, consent, and data-grant lifecycle is designed; the governed mutation and release path is not generally available.

Resource-service final deny

Local audience, tenant, revision, revocation, and resource-policy enforcement is a required design contract; conformance must be proven for each relying service.