Tweek users/apps are recognized as pair of group+user commonly refered as subject.

Tweek can map JWT token from external systems (OIDC/OAUTH2) to a subject by using a subject extraction policy based on OpenPolicyAgent’s ( Rego language. Tweek can login and verify tokens form multiple multiple external OIDC providers.

A common use case is to use an external OIDC provider such as Google/Azure/Auth0 for auditing and managing access for Tweek editor. Client apps (browser/mobile) can use the same mechanism for fetching values or writing to context. Tweek also support credentials creation for external apps. (pair of client-id, client-secret)

Additionally, it’s possible to generate an admin token by signing a JWT token with the publishing repo private key which have full access to all Tweek api.


Tweek has an ACL mechanism for controlling access to resources. The ACL is based on a JSON policy file.