Skip to main content

Security Reference

Comprehensive security guide covering authentication, encryption, compliance, and operational security.

Authentication Methods

OLIVE supports multiple authentication mechanisms for different use cases:

API Keys

Third-party integrationsAuthorization: Bearer olive_live_xxx

JWT Tokens

Admin dashboardAuthorization: Bearer eyJhbG...

HMAC Signatures

POS terminalsX-Signature + X-Timestamp

Service Auth

Internal servicesShared secrets for Agent-TS

API Key Authentication

API keys are used for third-party integrations: 
curl -X GET "https://olive-gateway-a6ba.onrender.com/api/v1/balance/user123" \
  -H "Authorization: Bearer olive_live_XXXXXXXXXXXXXXXX"

Key Formats

EnvironmentPrefixExample
Productionolive_live_olive_live_abc123xyz
Sandboxolive_test_olive_test_abc123xyz

Key Scopes

ScopeAccess
readBalance, transaction history
writeCreate payments, transfers
adminUser management, settings

JWT Authentication

Admin dashboard uses JWT tokens: 
# Login to get token
curl -X POST "https://olive-gateway-a6ba.onrender.com/api/v1/admin/login" \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": "secret"}'

# Response
{
  "token": "eyJhbGciOiJIUzI1NiIs...",
  "refresh_token": "eyJhbGciOiJIUzI1NiIs...",
  "expires_in": 86400
}

# Use token
curl -H "Authorization: Bearer eyJhbG..."

JWT Configuration

# gateway/config.yaml
auth:
  jwt_secret: "${JWT_SECRET}"  # Minimum 32 characters
  jwt_expiry: 24h
  refresh_expiry: 168h
JWT secrets must be at least 32 characters. Use a cryptographically secure random generator.

HMAC Authentication

POS terminals use HMAC-SHA256 signatures: 
const crypto = require('crypto');

function generateSignature(method, path, body, timestamp, secret) {
  const payload = body 
    ? `${method}|${path}|${body}|${timestamp}`
    : `${method}|${path}||${timestamp}`;
  
  return crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
}

// Usage
const signature = generateSignature(
  'POST',
  '/api/v1/pos/payment',
  JSON.stringify({ amount: 5000 }),
  Date.now().toString(),
  'your_hmac_secret'
);

Required Headers

HeaderDescription
X-Client-IDMerchant/processor ID
X-SignatureHMAC-SHA256 signature
X-TimestampUnix timestamp (ms)
Signatures are valid for 5 minutes. Ensure your server clock is synchronized with NTP.

TLS Configuration

External Traffic (TLS 1.3)

All external traffic uses TLS 1.3: 
# gateway/config.yaml
tls:
  enabled: true
  cert_file: /certs/gateway.crt
  key_file: /certs/gateway.key
  min_version: "1.3"

Internal Traffic (mTLS)

gRPC between Gateway and Wallet-Core uses mutual TLS: 
# wallet-core/config.yaml
tls:
  enabled: true
  cert_file: /certs/wallet-core.crt
  key_file: /certs/wallet-core.key
  ca_file: /certs/ca.crt
  require_client_cert: true

Certificate Rotation

  • Rotate certificates every 90 days
  • Use automated renewal (cert-manager, Let’s Encrypt)
  • Monitor certificate expiry with alerts

Secrets Management

export JWT_SECRET=$(openssl rand -base64 32)
export DATABASE_URL="postgres://user:pass@host:5432/db"
export OPENAI_API_KEY="sk-..."
Never commit secrets to version control. Use environment variables or a secrets manager.

Rate Limiting

Configure per-client rate limits: 
# gateway/config.yaml
rate_limit:
  enabled: true
  requests_per_second: 100
  burst: 200
  by_client: true

Rate Limit Headers

HeaderDescription
X-RateLimit-LimitMaximum requests per window
X-RateLimit-RemainingRequests remaining
X-RateLimit-ResetWindow reset timestamp

Security Layers

  • VPC isolation for internal services
  • Firewall rules restricting access
  • Network policies in Kubernetes
  • Private subnets for databases
  • TLS 1.3 for all external traffic
  • mTLS for internal gRPC communication
  • Certificate pinning for critical services
  • Regular certificate rotation
  • JWT/OAuth2 authentication
  • API key management with scopes
  • Rate limiting per client
  • Input validation and sanitization
  • Encrypted database connections
  • Encryption at rest (optional)
  • Comprehensive audit logging
  • Idempotency keys for operations

PII and Data Protection

KYC Document Handling

  • Documents stored in private S3 bucket
  • Access via short-lived pre-signed URLs
  • No PII in application logs
  • Encryption at rest with KMS

Data Retention

Data TypeRetention
Transaction logs7 years
Audit logs5 years
KYC documentsPer regulation
Session data24 hours

Compliance

Designed to support:

PCI-DSS

Payment card industry standards

GDPR

European data protection

SOC 2 Type II

Security and availability

ISO 27001

Information security management

Threat Mitigation

ThreatMitigation
DDoS attacksRate limiting, load balancing, WAF
SQL injectionParameterized queries, input validation
Man-in-the-middleTLS/mTLS encryption
Replay attacksIdempotency keys, timestamps
Privilege escalationLeast privilege, RBAC
Credential stuffingRate limiting, account lockout

Security Checklist

Complete before production deployment.

Infrastructure

  • TLS/mTLS enabled on all services
  • Firewall rules configured
  • Network policies in place
  • VPC isolation for database

Application

  • Strong JWT secret (32+ chars)
  • Rate limiting enabled
  • Input validation active
  • Audit logging enabled

Operations

  • Monitoring and alerting
  • Regular backups
  • Incident response plan
  • Security training completed

Incident Response

1

Detection

Monitor logs and alerts for suspicious activity
2

Containment

Isolate affected systems, revoke compromised credentials
3

Investigation

Analyze audit logs and transaction history
4

Remediation

Apply fixes, patches, and security updates
5

Recovery

Restore normal operations
6

Post-Mortem

Document findings and improve processes

Gateway Authentication

Detailed auth configuration

Deployment Guide

Production deployment