Authentication & Authorization

User authentication methodology, access controls, and API security measures

Authentication & Authorization

This document details the authentication and authorization mechanisms implemented across the Wealthy platform to ensure secure access to systems and data.

Authentication by User Type

Users (Customers)

  • First Factor: OTP (One-Time Password) via SMS/Email
  • Second Factor: PIN-based authentication
  • Required for all login attempts and sensitive operations
  • There is an additional otp / pin for transactions like SIP, Mandate, etc as per use case
  • For mobile subsequent access is via Biometric(fingerprint, FaceID) if enabled by users else pin.

2FA Implementation Documentation

📁 2FA User Implementation Circulars

This folder contains detailed documentation on 2FA implementation for users including regulatory requirements, technical specifications, and implementation guidelines.

Security Features

  • Device Management: Trusted device registration and management
  • Account Recovery: Secure account recovery through details verifications.

Partners

Authentication Methods

  • Mobile App Authentication:

    • OTP (One-Time Password) verification
    • Biometric authentication (fingerprint, Face ID)
    • Device binding and trusted device management

  • API Access Authentication:

    • API key-based authentication for system integrations
    • Post login api token is generated which is used for accessing apis.
    • Rate limiting and throttling controls are added.

Security Features

  • Partner Verification: Authentication linked to verified partner agreements
  • Role-Based Access: Different access levels based on partnership type
  • Audit Logging: Comprehensive logging of all partner activities
  • IP Whitelisting: Restricted access from approved IP addresses only for specific service
  • GEO Blocking: Internal tools api are accessible only from few countries.

Partner Support

Authentication Methods

  • System-Generated Credentials:

    • Username/password generated by system administrators
    • No self-registration or password reset capabilities
    • Session timeout after 8 hours of inactivity

  • Customer Support Tools:

    • Role-based access to customer support systems
    • Read-only access to customer data

Internal Staff (Operations, Developers, Business)

Authentication Methods

  • Google Login Authentication:

    • Google Workspace SSO for all internal applications and tools

  • System and Development Access:

    • Google-authenticated access to all internal systems
    • Git repository access with wealthy email
    • Development and production server access through Google SSO
    • Server access also needs VPN to be enabled

Security Features

  • Pritunl VPN Security Layer: All internal tools accessed through Pritunl VPN for additional security
  • Pritunl VPN Authentication: Pritunl VPN login authenticated through Google OAuth
  • Device Management: Corporate-managed devices with security policies
  • VPN Access: Mandatory Pritunl VPN for all internal dev tools access(like airflow, kubernetes, grafana, etc)
  • Email Security: Google Workspace Security
  • Audit Trail: Logging of all internal staff activities

Role-Based Access Control (RBAC) System

RBAC Architecture

The Wealthy platform implements a comprehensive RBAC system that manages access control through groups and permissions across all services:

Core Components

  • Groups: Logical collections of users with similar access requirements
  • Permissions: Granular access rights to specific resources or operations
  • Tokens: All generated tokens are tagged with relevant groups and permissions
  • API Gateway: Centralized token verification and header injection
  • RBAC Service: Validates permissions and provides group access information

Actual RBAC Flow

API Call → Gateway Token Verification → Header Injection (user_id, permissions, groups) → Service Permission Check → Data Filtering → Response

The same RBAC system is used across all services in the platform.

API Authentication

Common API Authentication Flow

All APIs in the Wealthy platform follow a standardized authentication flow through multiple security layers:

Architecture Overview

Client Request → Cloudflare → Wealthy Gateway → Microservices

Security Layer Flow

  1. Cloudflare Protection:

    • DDoS protection and traffic filtering
    • Initial request validation and security checks
    • Bot detection and mitigation
    • AI scrapper protection

  2. Wealthy Gateway Processing:

    • Authentication Check: Token validation and user verification
    • Rate Limiting: Request throttling based on user/IP/endpoint
    • Geo Checks: Geographic access restrictions and blocking
    • Header Injection: User context and permissions attached to headers

  3. Microservice Processing:

    • Service receives request with injected security headers
    • Function-level permission validation
    • Data filtering based on user context
    • Business logic execution

Gateway Security Features

  • Authentication: Token validation
  • Rate Limiting: Rate limits based on user type and API endpoint
  • Geographic Restrictions: Country-level access controls for sensitive APIs
  • IP Whitelisting: IP restrictions for enhanced security
  • Real-time Monitoring: Anomaly detection and threat response
  • CORS Policy: Cross-origin request restrictions

Token Management

  • Tokens: Stateless/stateful authentication tokens as per auth
  • Token Revocation: Immediate token invalidation for security incidents
  • Multi-Device Support: Separate token management for different device types

API Security Controls

  • API Versioning: Version-specific access controls and deprecation management
  • Payload Validation: Request and response validation and sanitization
  • Error Handling: Secure error responses without information disclosure

Group Management

User Groups

  • Family User: Portfolio viewing only
  • Admin Users: Portfolio viewing, trading permissions

Partner Groups

  • Partner Admin: With full access
  • Employee: Full Access except revenue

Internal Staff Groups

  • Operations Group: Back office related permissions, Order updates, Feed uploads.
  • Tech & Product Group: Code repository, controlled, server access, CDN management
  • Finance Group: Access for revenue related features
  • Business Product: Access to manage product metadata.
  • Marketing Group : Campaign and template system access

Permission Framework

Granular Permission System

The platform uses specific, granular permissions rather than broad categories. Each permission is action-specific:

Example Granular Permissions

  • can_generate_report: Generate Specific Reports
  • can_update_bank_account: Permission to modify bank account details

Permission Assignment

  • Group-Based: Permissions assigned to groups, users inherit from group membership
  • Function-Specific: Each API endpoint/function checks for specific required permissions
  • Atomic Operations: Each permission covers a single, specific action or resource
  • Inheritance: Users can belong to multiple groups and inherit all associated permissions

RBAC Service Integration

Gateway-Based Permission Flow

  1. API Call Received: Client makes API call with authentication token
  2. Gateway Token Verification: API Gateway validates token authenticity
  3. User Context Extraction: Gateway extracts user_id, groups, and permissions from token
  4. Header Injection: Gateway attaches user info and permissions to request headers
  5. Service Permission Check: Downstream service reads headers and validates group access to specific function
  6. Data Filtering: Service filters data based on user_id from headers and permission checks
  7. Response Generation: Service returns appropriately filtered response

Service-Level Implementation

  • Header Reading: Each service reads injected headers (user_id, groups, permissions)
  • Function-Level Access: Services check if user’s groups have access to specific functions
  • Data Row-Level Security: Data filtering implemented using user_id and permission groups
  • Consistent RBAC: Same RBAC logic applied across all microservices
  • Performance Optimization: Headers eliminate need for repeated RBAC service calls

Group and Permission Management

Administrative Controls

  • Centralized Group Management: All user groups and memberships managed centrally
  • Permission Assignment: Granular assignment of permissions to groups
  • Dynamic Updates: Real-time updates to group memberships and permissions
  • Token Regeneration: Updated permissions reflected in new tokens upon re-authentication

Data Access Control

  • User-Based Filtering: Data filtered using user_id from injected headers
  • Group-Based Permissions: Function access determined by RBAC group membership
  • Row-Level Security: Individual data records filtered based on user permissions
  • Cross-Service Consistency: Same user context and permissions across all services

Compliance and Governance

  • Segregation of Duties: Critical operations require multiple permission sets
  • Least Privilege Principle: Users assigned minimum required permissions
  • Audit Trails: Complete logging of RBAC decisions and data access patterns
  • Performance Monitoring: Gateway and service-level RBAC performance tracking

Contact Information

Last modified November 11, 2025: RCA added for SIP failure (16439aa)