Olympus Docs
ReferenceSequence diagrams

Athena → Kratos admin

Internal admin API call chain

Layers

  1. Caddy, TLS termination, basic rate-limit.
  2. Athena middleware, verifies session HMAC, checks role.
  3. Service layer, encapsulates the Kratos API call (testable in isolation).
  4. Kratos admin API, no auth, protected by network ACL only.

Why Kratos admin has no auth

Kratos's admin port is on the intranet network only, never publicly exposed (Operate, Network topology). The network boundary is the auth. The host firewall blocks the port from the internet.

Where to learn more

Brute-force lockout escalation

How repeated failed logins escalate to a lockout

Caddy → backend routing

How Caddy decides which backend to proxy to

On this page

LayersWhy Kratos admin has no authWhere to learn more