Security & Access Control

Key highlights

• JWT authentication: Short-lived access tokens (minutes) with long-lived refresh tokens (days) minimise the window of exposure if a token is compromised. Token rotation is automatic.
• Two-Factor Authentication (TOTP): All users can enable 2FA using any TOTP app (Google Authenticator, Authy, etc.). Setup uses a QR code and generates recovery codes.
• Role-Based Access Control (RBAC): Five built-in roles (USER, CHAUFFEUR, SUPPORT, ADMIN, SUPER_ADMIN) provide a sensible default structure.
• 200+ named permissions: Fine-grained permissions like read:vehicle-description and create:trip let you control exactly what each role or user can do.
• SAML 2.0 SSO: Enterprise customers integrate their own IdP (Azure AD, Okta, or any SAML 2.0 provider) for SSO with automatic user provisioning.
• Argon2 password hashing: Passwords are hashed using Argon2id, the winner of the Password Hashing Competition, providing resistance against GPU-based brute-force attacks.
• Per-API-key rate limiting: Every API key has its own configurable rate limit. Burst traffic from a misbehaving integration is contained without affecting other consumers.
• Error tracking & request logging: All API requests are logged. Errors are reported to Sentry in real time with full stack traces and request context.