Platform Module

Identity & Access Auth, RBAC & Security

Enterprise-grade authentication and authorization built into the platform core. Multi-factor auth, OAuth2, 18+ roles, tenant isolation, and full GDPR compliance — out of the box.

Request a DemoView Platform
Authentication

Every way in, fully secured

Multiple authentication methods, all secured with httpOnly cookies. No tokens exposed to JavaScript — ever.

Email & Password

  • Bcrypt hashing with 12 salt rounds
  • Min 8 chars — uppercase, lowercase, number
  • Account lockout after 5 failed attempts
  • 30-minute cooldown on lockout

Multi-Factor (MFA)

  • TOTP — Google Authenticator, Authy compatible
  • One-time backup codes for recovery
  • Per-user or mandatory per-tenant enforcement
  • Timing-safe comparison against side-channel

OAuth2 / Social Login

  • Google — OpenID Connect with email verification
  • GitHub — OAuth2 with user:email scope
  • Microsoft Azure AD — enterprise SSO
  • Auto account linking when emails match

Partner API Access (B2B)

  • OAuth2 Client Credentials grant (M2M)
  • Scoped API tokens with per-client rate limits
  • Optional IP whitelist per application
  • Provider tokens encrypted at rest
Token Management

Short-lived, auto-rotated

Tokens delivered via httpOnly, Secure, SameSite=Lax cookies. Automatic refresh on 401 — transparent to the user. Refresh tokens are single-use and rotated on every renewal.

Isolated cookie namespaces per frontend app
Single-use refresh tokens prevent replay attacks
Transparent renewal — no user intervention needed
token lifecycle

Access Token

API authentication (JWT)

15 min

Refresh Token

Silent token renewal

7 days

Service Token

Service-to-service auth

5 min

Partner Token

B2B API access

1 hour
Authorization

18+ roles, granular control

Fine-grained role-based access control with built-in roles across every domain. Create custom roles for your organization. System roles are immutable.

System

adminPLATFORM_ADMINadmin_viewer

Sales

SALES_REPSALES_MANAGERACCOUNT_MANAGER

Operations

NOC_OPERATORNOC_MANAGERCLOUD_OPSOPERATIONS_MANAGER

Support

SUPPORT_AGENTSUPPORT_MANAGER

Finance

FINANCE_ANALYSTFINANCE_MANAGER

Other

SECURITY_ANALYSTproduct_managerEXECUTIVEcustomer_viewer

Access Control Decorators

@Public()Unauthenticated access (login, register, OAuth)
@Roles(...)Restrict to specific roles
@ServiceOnly()Service-to-service endpoints only
@CurrentUser()Extract authenticated user context
Multi-Tenancy

Complete tenant isolation

Every user belongs to a tenant. All data is automatically scoped — users can never access resources from other tenants. Configurable per organization with full branding support.

Tenant types: Customer, Partner, Internal
Configurable locale, timezone, currency, date format
Resource limits: max users, max cloud instances
Feature flags per tenant: billing, support, provisioning
Custom branding: logo, primary color, company URL
Invite-by-email with auto-role assignment
API Keys

Programmatic access

Create long-lived API keys for machine-to-machine integration. Prefixed, hashed, trackable, and instantly revocable.

1 — Generate

cf_prod_x7kM9nRp2vL4wQ8jF3hA...

Shown once — copy now or lose it forever

2 — Store

SHA256: e3b0c442...98f5

Original key is never stored — only the hash

3 — Authenticate

curl -H "Authorization: Bearer cf_prod_..."
     api.cloudfactory.com/v1/resources
200 OK — authenticated

Shown Once

API key displayed only at creation. Cannot be retrieved later — regenerate if lost.

SHA256 Hashed

Only the hash is stored. Even a database breach won't expose your keys.

Prefixed Format

cf_prod_ and cf_dev_ prefixes for easy identification in logs and configs.

Usage Tracking

Last-used timestamps on every key. Identify stale keys and revoke them.

Instant Revocation

Revoke any key immediately from the admin panel. Takes effect on next request.

Audit Trail

Every action, fully traced

Every security-relevant action is logged with full context: actor, action, resource, timestamp, previous state, new state, and correlation ID for distributed tracing.

GDPR Art. 20 — Data Portability
GDPR Art. 17 — Right to Erasure
audit.log — live feed
14:00:00
login
14:07:13
logout
14:14:26
failed_login
15:21:39
account_locked
15:28:52
password_changed
15:35:05
role_assigned
16:42:18
role_removed
16:49:31
api_key_created
16:56:44
api_key_deleted
17:03:57
data_exported
17:10:10
data_erased
17:17:23
consent_granted
18:24:36
consent_withdrawn
18:31:49
oauth_client_created
18:38:02
oauth_client_revoked
Security

Defense in depth

httpOnly Cookies

JWT tokens never exposed to JavaScript — immune to XSS token theft

Rate Limiting

50 req/min on auth endpoints, configurable per tenant tier

Account Lockout

5 failed attempts triggers 30-minute lockout with notification

Timing-Safe

Prevents timing attacks on token and password verification

Encrypted at Rest

OAuth provider credentials and tokens encrypted in database

Security Headers

CORS, CSP, HSTS — full header suite enforced at gateway level

Enterprise identity, built in

Stop building auth from scratch. Get MFA, OAuth2, RBAC, multi-tenancy, and GDPR compliance out of the box.

Request a DemoExplore API Gateway
FAQ

Common Questions

All authentication tokens are delivered via httpOnly, Secure, SameSite=Lax cookies. This means JavaScript running in the browser can never read the token, making XSS-based token theft impossible. Token refresh happens transparently — a 401 response triggers automatic renewal.

Yes. MFA can be configured per-user or enforced as mandatory per-tenant. When mandatory, users are required to set up TOTP during their next login. Backup codes are provided for account recovery.

Every request is scoped to a tenant at the API layer. Users can never access resources from other tenants — this is enforced at the middleware level before any business logic executes. Each tenant has isolated resource limits, feature flags, and branding.

Yes. The Identity service supports Article 20 (Data Portability) with full JSON export, and Article 17 (Right to Erasure) with complete account anonymization. All consent changes are recorded in an append-only audit trail with IP and user agent.

From the blog

Engineering culture

Short reads that sharpen your engineering instincts and help you stay ahead of the curve.

ENGINEERING

Scaling OpenTelemetry for High-Volume Data Ingestion

How we optimized our collector architecture to handle 10M+ spans per second without breaking the bank or dropping traces.

5 min read Feb 8, 2026
AI & ML

The Agentic Future: Beyond Passive Monitoring

Why static dashboards are dead. Exploring the shift towards autonomous agents that detect, diagnose, and fix infrastructure issues.

4 min read Feb 2, 2026
TUTORIAL

Debugging Kubernetes Networking with eBPF

A deep dive into using eBPF to trace packet drops and latency spikes in complex microservices environments.

8 min read Jan 28, 2026
SECURITY

Zero Trust Architecture for Cloud Native Apps

Implementing strict identity verification for every user and device trying to access resources on your private network.

6 min read Jan 15, 2026
DATABASE

Postgres Autovacuum Tuning Guide

Stop fearing the vacuum. Learn how to configure autovacuum for write-heavy workloads to prevent bloat and maintain performance.

7 min read Jan 10, 2026
SERVERLESS

Cold Starts: The Silent Performance Killer

Strategies for keeping your Lambda functions warm and optimizing initialization time for latency-sensitive applications.

5 min read Jan 05, 2026
DEVOPS

Mastering Monorepo CI/CD Pipelines

Best practices for building, testing, and deploying microservices from a single repository using Turborepo and GitHub Actions.

9 min read Dec 28, 2025