# Authentication & authorization Once your lab app is reachable through a secure remote desktop session, the next step is to integrate a control layer that decides who is allowed to access it, when, and to which specific lab. This is where DecentraLabs' authentication and authorization system comes into play. To ensure secure, automated, and verifiable access management, DecentraLabs provides the **blockchain-services** component, available as open source at [DecentraLabsCom/Blockchain-Services](https://github.com/DecentraLabsCom/Blockchain-Services). This component acts as the bridge between: * ✅ the lab gateway's reverse proxy managing incoming remote desktop sessions, and * 🔗 the blockchain smart contracts that govern lab reservations and permissions. #### What does it do? When a user connects to a lab through the marketplace and initiates a session, the blockchain-services authentication module performs two critical tasks: 1. **Authentication**\ It verifies the identity of the customer through the institutional login flow used by the marketplace (for example eduGAIN- or RedIRIS-backed federation). 2. **Authorization**\ It checks whether the user has a valid reservation for a specific lab (based on the smart contracts on-chain) and determines: * If access should be granted * Which lab instance should be routed * When the access period starts and ends Once validated, the `blockchain-services` authentication module issues a signed **JWT token** containing all the necessary information (lab ID, user ID, time window, etc.), which is used by the lab gateway to allow or deny access accordingly. This architecture ensures that only authorized users can access specific labs, within their allocated time slots, all with full auditability and blockchain-backed verification. #### Summary of the Flow 1. A user reserves a lab through the DecentraLabs marketplace and the booking gets recorded onchain. 2. At the scheduled time, they request access. 3. The `blockchain-services` authentication module validates their institutional session context and booking state. 4. If valid, it issues a signed JWT. 5. The lab gateway receives the JWT, validates it, and opens the remote desktop session for the corresponding lab. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://decentralabs-2.gitbook.io/decentralabs-docs/marketplace/become-a-provider/authentication-and-authorization.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.