v1Changelog

Security

Authentication, authorization, token and credential handling, transport security and data protection.

Authentication

The API uses JWT bearer tokens. Obtain a token via POST /v1/onboarding/login/user and send it on protected calls:

Authorization: Bearer <JWT_TOKEN>

Authorization (RBAC)

Access is governed by role-based access control. A user holds a role; a role grants module/sub-module actions. A 403 indicates the authenticated principal lacks the required action. Model least-privilege roles and verify entitlements via GET /v1/onboarding/me. See Users, Roles & Modules.

Token handling

⚠️ Warning

Treat access tokens as secrets. Do not commit them to source control, embed them in shared Postman collections, log them, or place them in URLs.

TLS / SSL expectations

All non-local traffic must use HTTPS (TLS). Observed responses include strong transport-security headers, e.g.:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; ...
Referrer-Policy: strict-origin-when-cross-origin

Sensitive data handling

Several fields are sensitive and must be protected end-to-end:

DataWhere it appearsGuidance
Login email / passwordlogin/user, users/password, mfa/statusTransmitted as encrypted strings; never send plaintext.
MFA secretmfa/status, mfa/register (encodedSecret)Never log or persist beyond enrolment.
Core-banking credentialscore-connectivity (userName, password, adminPassword)Send over TLS only; store in a secrets manager.
Terminal/app keysterminal-key (appKey)Treat as secret; rotate on suspicion of exposure.
Access tokens / API keysAuthorization header; external mail keysNever embed in code, collections, or URLs.
❗ Important

This documentation deliberately replaces all real secrets from the source material with placeholders and synthetic values. Apply the same discipline in your own examples, tickets and screenshots.

Rate limiting

Rate-limiting policy is typically enforced at the API gateway. The specific limits, headers (e.g. Retry-After) and the 429 behaviour are To be confirmed. Build clients to back off exponentially with jitter on 429 and 503.

Operational endpoints

Spring Actuator and metrics endpoints (/actuator/*) can expose sensitive operational data (heap dumps, beans, thread dumps). These should be network-restricted and not exposed publicly. See the Operational & Monitoring appendix.