Platform Module

Identity & Access Auth, RBAC & Security

Enterprise-grade authentication and authorization built into the platform core. Multi-factor auth, OAuth2, 18+ roles, tenant isolation, and full GDPR compliance — out of the box.

Request a Demo View Platform

▶Authentication

Every way in, fully secured

Multiple authentication methods, all secured with httpOnly cookies. No tokens exposed to JavaScript — ever.

Email & Password

Bcrypt hashing with 12 salt rounds
Min 8 chars — uppercase, lowercase, number
Account lockout after 5 failed attempts
30-minute cooldown on lockout

Multi-Factor (MFA)

TOTP — Google Authenticator, Authy compatible
One-time backup codes for recovery
Per-user or mandatory per-tenant enforcement
Timing-safe comparison against side-channel

OAuth2 / Social Login

Google — OpenID Connect with email verification
GitHub — OAuth2 with user:email scope
Microsoft Azure AD — enterprise SSO
Auto account linking when emails match

Partner API Access (B2B)

OAuth2 Client Credentials grant (M2M)
Scoped API tokens with per-client rate limits
Optional IP whitelist per application
Provider tokens encrypted at rest

▶Token Management

Short-lived, auto-rotated

Tokens delivered via httpOnly, Secure, SameSite=Lax cookies. Automatic refresh on 401 — transparent to the user. Refresh tokens are single-use and rotated on every renewal.

Isolated cookie namespaces per frontend app

Single-use refresh tokens prevent replay attacks

Transparent renewal — no user intervention needed

token lifecycle

Access Token

API authentication (JWT)

15 min

Refresh Token

Silent token renewal

7 days

Service Token

Service-to-service auth

5 min

Partner Token

B2B API access

1 hour

▶Authorization

18+ roles, granular control

Fine-grained role-based access control with built-in roles across every domain. Create custom roles for your organization. System roles are immutable.

System

adminPLATFORM_ADMINadmin_viewer

Sales

SALES_REPSALES_MANAGERACCOUNT_MANAGER

Operations

NOC_OPERATORNOC_MANAGERCLOUD_OPSOPERATIONS_MANAGER

Support

SUPPORT_AGENTSUPPORT_MANAGER

Finance

FINANCE_ANALYSTFINANCE_MANAGER

Other

SECURITY_ANALYSTproduct_managerEXECUTIVEcustomer_viewer

Access Control Decorators

@Public()Unauthenticated access (login, register, OAuth)

@Roles(...)Restrict to specific roles

@ServiceOnly()Service-to-service endpoints only

@CurrentUser()Extract authenticated user context

▶Multi-Tenancy

Complete tenant isolation

Every user belongs to a tenant. All data is automatically scoped — users can never access resources from other tenants. Configurable per organization with full branding support.

Tenant types: Customer, Partner, Internal

Configurable locale, timezone, currency, date format

Resource limits: max users, max cloud instances

Feature flags per tenant: billing, support, provisioning

Custom branding: logo, primary color, company URL

Invite-by-email with auto-role assignment

▶API Keys

Programmatic access

Create long-lived API keys for machine-to-machine integration. Prefixed, hashed, trackable, and instantly revocable.

1 — Generate

cf_prod_x7kM9nRp2vL4wQ8jF3hA...

Shown once — copy now or lose it forever

2 — Store

SHA256: e3b0c442...98f5

Original key is never stored — only the hash

3 — Authenticate

curl -H "Authorization: Bearer cf_prod_..."
     api.cloudfactory.com/v1/resources

200 OK — authenticated

Shown Once

API key displayed only at creation. Cannot be retrieved later — regenerate if lost.

SHA256 Hashed

Only the hash is stored. Even a database breach won't expose your keys.

Prefixed Format

cf_prod_ and cf_dev_ prefixes for easy identification in logs and configs.

Usage Tracking

Last-used timestamps on every key. Identify stale keys and revoke them.

Instant Revocation

Revoke any key immediately from the admin panel. Takes effect on next request.

▶Audit Trail

Every action,
fully traced

Every security-relevant action is logged with full context: actor, action, resource, timestamp, previous state, new state, and correlation ID for distributed tracing.

Compliance

GDPR Art. 20

Right to Erasure

GDPR Art. 17

Security Log // B7-X92

Actor

admin_ops // user_8291

Event Triggered

ACCESS_ROLE_REMOVED

Resource

cluster_production_01

Digital SignatureVERIFIED

SHA256: 8f93a2b1c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0t1u2v3w4x5y6z7a8b9c0d1

▶Security

Defense in depth

httpOnly Cookies

JWT tokens never exposed to JavaScript — immune to XSS token theft

Rate Limiting

50 req/min on auth endpoints, configurable per tenant tier

Account Lockout

5 failed attempts triggers 30-minute lockout with notification

Timing-Safe

Prevents timing attacks on token and password verification

Encrypted at Rest

OAuth provider credentials and tokens encrypted in database

Security Headers

CORS, CSP, HSTS — full header suite enforced at gateway level

Enterprise identity, built in

Stop building auth from scratch. Get MFA, OAuth2, RBAC, multi-tenancy, and GDPR compliance out of the box.

Request a Demo Explore API Gateway

▶FAQ

Common Questions

All authentication tokens are delivered via httpOnly, Secure, SameSite=Lax cookies. This means JavaScript running in the browser can never read the token, making XSS-based token theft impossible. Token refresh happens transparently — a 401 response triggers automatic renewal.

Yes. MFA can be configured per-user or enforced as mandatory per-tenant. When mandatory, users are required to set up TOTP during their next login. Backup codes are provided for account recovery.

Every request is scoped to a tenant at the API layer. Users can never access resources from other tenants — this is enforced at the middleware level before any business logic executes. Each tenant has isolated resource limits, feature flags, and branding.

Yes. The Identity service supports Article 20 (Data Portability) with full JSON export, and Article 17 (Right to Erasure) with complete account anonymization. All consent changes are recorded in an append-only audit trail with IP and user agent.

▶From the blog