Skip to content

JWT role-based access control
ID MOD-044
System SD07
Repo bank-platform
Build status Deployed
Deployed Yes
Last commit 6c850ea224faf26b37bbbdd5676906b17502eba8

All API calls authenticated via JWT containing role claims. Gateway enforces scope at API level. See ADR-004.

Module dependencies

Depends on

Module Title Required? Contract Reason
MOD-045 Secrets & key management Required JWT signing keys are managed by the secrets and key management module — token validation requires access to current signing keys.
MOD-104 AWS shared infrastructure bootstrap Required AWS shared infrastructure provisioned by MOD-104 (EventBridge buses, S3, KMS, Kinesis, Cognito) is required before this module can be deployed.

Required by

Module Title As Contract
MOD-047 Agent action logger Hard dependency
MOD-049 Open banking consent management Hard dependency
MOD-052 Role-scoped data access Hard dependency
MOD-061 Open banking API platform Hard dependency
MOD-064 Operations work queue Hard dependency
MOD-068 Authentication & session management Hard dependency
MOD-073 Document vault Hard dependency
MOD-074 Back-office customer 360 Hard dependency
MOD-075 Internal API gateway Hard dependency
MOD-176 Snowflake read API service Hard dependency

Policies satisfied

Policy Title Mode How
DT-001 Information Security Policy GATE Least-privilege enforced at API gateway — no client-side security reliance
GOV-007 Conflicts of Interest Policy AUTO Role separation enforced — no single user can hold conflicting roles
GOV-006 Internal Audit Policy LOG All authenticated API calls logged with user ID, role, endpoint, and timestamp

Capabilities satisfied

Capability Title Mode How
CAP-074 Role-scoped API gateway GATE Validates the JWT and enforces role-based scopes on every API request — no data is returned outside the caller's permitted scope.

Part of SD07 — Data Platform & Governance Infrastructure Compiled 2026-05-22 from source/entities/modules/MOD-044.yaml