Olympus Documentation What is Olympus Architecture Repo Map License Glossary

Athena API Authentication Athena API Errors Athena API Pagination Athena Settings API SDK Settings API

Environment variables

Sequence diagrams Authorization Code + PKCE Client Credentials (M2M)Refresh token rotation RP-initiated logout Email verification roundtrip Password recovery with HMAC token Social IdP linking MFA step-up to AAL2 Brute-force lockout escalation Athena → Kratos admin Caddy → backend routing Production deploy pipeline Encryption key rotation (zero-downtime)pgAdmin OIDC SSO Claude-driven Daedalus deploy via MCP

ReferenceSequence diagrams

MFA step-up to AAL2

Escalating session AAL for sensitive operations

Where AAL2 is required

Kratos's default policy:

Changing password (settings flow)
Disenrolling MFA
Linking/unlinking last credential
Any operation marked required_aal: aal2 in kratos.yml

Your app can require AAL2 for its own sensitive operations following the pattern above.

Where to learn more

Identity, Sessions, AAL, refresh
Identity, MFA policy
Cookbook, Enforce step-up auth
Troubleshooting, Session AAL too low

Social IdP linking

Linking a Google/GitHub/etc. account to an existing password identity

Brute-force lockout escalation

How repeated failed logins escalate to a lockout

On this page

Where AAL2 is required Where to learn more