Live App →
Developers

Authentication

JWT flow, refresh tokens, RBAC roles, and secure API access patterns.

For Developers

Authentication

Sentinel uses JWT Bearer tokens with refresh token rotation, Argon2id password hashing, and role-based access control.

JWT Flow

┌─────────┐     POST /auth/login      ┌─────────────┐
│  Client │ ─────────────────────────►│ Studio BFF  │
│         │                           │ (Argon2id)  │
│         │ ◄──── access + refresh ───┤             │
│         │                           └─────────────┘
│         │     API call + Bearer
│         │ ─────────────────────────► Protected
│         │                           Resource
│         │     401 (expired)
│         │ ◄─────────────────────────
│         │     POST /auth/refresh
│         │ ─────────────────────────► New tokens

Login

curl -X POST https://sentinel.centricitywealth.tech/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@firm.com",
    "password": "secure-password"
  }'

Response:

{
  "access_token": "eyJhbG...",
  "refresh_token": "eyJhbG...",
  "token_type": "bearer",
  "expires_in": 3600,
  "user": {
    "id": "usr_123",
    "email": "user@firm.com",
    "role": "analyst",
    "tenant_id": "ten_abc"
  }
}

Using the Access Token

Include in every request:

Authorization: Bearer eyJhbG...

The access token expires in 1 hour.

Refresh Token

When you receive a 401:

curl -X POST https://sentinel.centricitywealth.tech/api/v1/auth/refresh \
  -H "Content-Type: application/json" \
  -d '{"refresh_token": "eyJhbG..."}'

Response: New access_token + refresh_token pair. The old refresh_token is invalidated.

Security: Store refresh tokens securely (HttpOnly cookies preferred). Never expose them in client-side code.

RBAC Roles

Role Permissions Typical User
viewer Read own data Junior analyst, client
analyst Upload, process, chat, export Relationship manager
admin User management, tenant config, audit Platform admin, compliance

Role is encoded in the JWT role claim. The API gateway enforces it.

Password Policy

  • Minimum 12 characters
  • At least 1 uppercase, 1 lowercase, 1 digit, 1 symbol
  • Argon2id hashing (memory: 64MB, iterations: 3, parallelism: 4)
  • No password reuse for last 5 passwords

SSO (SAML 2.0 / OIDC)

Enterprise tenants can configure SSO:

POST /api/v1/auth/sso/configure
{
  "protocol": "saml2",
  "metadata_url": "https://idp.firm.com/metadata.xml",
  "attribute_mapping": {
    "email": "user.email",
    "role": "user.group"
  }
}

After configuration, users can log in via:

https://sentinel.centricitywealth.tech/api/v1/auth/sso/login?tenant=ten_abc