Every User Starts
as a Machine
Anonymous visitors aren't ungated — they're machine-credentialed. Walk through the full progressive identity journey: from your first anonymous request to a fully correlated OIDC session. Watch the gateway handle every transition.
This is not a "token merge." OAuth2 doesn't have that concept.
What you're watching is a correlation event — the gateway threads a
signed session_id through the OIDC
redirect, then links it to your user_sub
on callback. The machine credential and the user credential are separate — and that's the honest story.
You just arrived
No cookie, no token. The gateway sees an unauthenticated visitor hitting /register.
Read the deep dive
Why this pattern exists, how the security constraints work, and why the gateway is the right layer for it.
Read: "Every User Starts as a Machine"