OBrain Hub

Security & Hardening

Overview of the governance and security protocols implemented.

Security

Security is the core pillar of OConnect Hub. The platform implements a "fail-closed" architecture to ensure data integrity and sovereignty.

Authentication

  • JWT-based: All management routes are protected by JSON Web Tokens.
  • API Keys: External integrations use hashed API Keys passed via X-API-Key headers.

Hardening Measures

  • Soft Multi-tenancy (TenantDB): Implements a database proxy that automatically injects tenant filters (userId, sellerId) into every query, preventing cross-tenant data leakage by design.
  • RBAC (Permission-based): Migrated from simple Role checks to a granular permission system (intel.scan, orders.write), ensuring that plano levels (FREE to ENTERPRISE) have strict access control.
  • Idempotency: All mutation requests (POST/PUT/DELETE) can include an x-idempotency-key header to prevent duplicate processing, using Cloudflare KV as a distributed state store.
  • Protected Paths: Critical endpoints like /api/admin/* and /api/manager/* are strictly controlled by a centralized middleware.
  • HMAC Verification: Shopify webhooks are verified using the Web Crypto API, performing deterministic signature validation.

Cryptographic Standards

  • Hash Algorithm: SHA-256 for general lookups.
  • HMAC Algorithm: SHA-256 via Web Crypto.
  • Signing Algorithm: HS256 for JWT.

[!IMPORTANT] All sensitive operations are now handled via the Web Crypto API to ensure maximum performance and security on the Cloudflare Edge.

System Architecture

A deep dive into the OConnect technical stack and data flow.

API Reference

Documentation of Public and Administrative endpoints.

On this page

SecurityAuthenticationHardening MeasuresCryptographic Standards