Labs / Optional path

Move the broker behind a backend boundary

This companion lab turns the localhost trust-boundary lesson into the stronger production-shaped pattern: the host calls your backend, and the backend owns the provider secret.

What changes

The credential boundary leaves the local host entirely.

The host now presents its own backend token and user identity. The backend decides whether to forward the call and which upstream secret to use.

Run the dry-run backend

export BACKEND_BROKER_TOKEN=demo-backend-token
python3 labs/backend-broker/server.py --config labs/backend-broker/server_config.dry-run.json

Time guide. Setup: 10–20 min if you want to compare it with the localhost broker pattern. Working through it: 20–40 min once the dry-run backend is in front of you.

Boundary

The local host no longer touches the provider credential directly; it only talks to your backend contract.

Real-world analog

Internal API gateway, backend-for-frontend, or managed-identity-backed app service.

Security companion: backend or managed identity path.