thoth-pub · ja573 · Jun 3, 2025 · Jun 3, 2025 · Jun 3, 2025 · Jun 6, 2025
diff --git a/.env.example b/.env.example
@@ -2,14 +2,10 @@
 THOTH_GRAPHQL_API=http://localhost:8000
 # THOTH_EXPORT_API is used at compile time, must be a public facing URL
 THOTH_EXPORT_API=http://localhost:8181
-# Authentication cookie domain
-THOTH_DOMAIN=localhost
 # Full postgres URL
 DATABASE_URL=postgres://thoth:thoth@localhost/thoth
 # Full redis URL
 REDIS_URL=redis://localhost:6379
-# Authentication cookie secret key
-SECRET_KEY=an_up_to_255_bytes_random_key
 # Logging level
 RUST_LOG=info
 

diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
 .env
 db/
 target/
+machinekey/
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Changed
+  - [697](https://github.com/thoth-pub/thoth/pull/697) – Migrated GraphQL API authentication to OIDC via Zitadel. Internal JWT handling has been replaced with introspection of Zitadel-issued tokens. Authorisation is now based entirely on token claims, removing the need for the internal `account` and `publisher_account` tables.
+  - [697](https://github.com/thoth-pub/thoth/pull/697) – Replaced legacy password-based login in the Thoth APP with Zitadel OIDC authentication using PKCE. The app now redirects to Zitadel for login, exchanges authorisation codes for tokens, and introspects tokens client-side to determine roles and permissions.
 ### Removed
   - Deprecated thoth-app