Authentication
Reeve uses a token-based authentication system to secure access to its APIs and services. This system is designed to ensure that only authorized users can access sensitive financial data and perform actions within the Reeve platform.
Currently three roles are defined:
- Admin: This role has full access to all features and functionalities of Reeve, including user management, configuration, and data access.
- Manager: This role has access to manage financial data and reports and is allowed to publish transactions and reports to the blockchain.
- Accountant: This role has access to manage financial data and reports, but unlike the manager the accountant is not allowed to publish transactions or reports.
Public access to published financial data is handled through the dedicated Indexer service, which provides a separate interface for stakeholders to access publicly available information without requiring authentication.
Token-Based Authentication
Reeve uses JSON Web Tokens (JWT) for authentication. When a user logs in, they receive a token that must be included in the Authorization header of subsequent API requests. The token contains information about the user’s role and permissions, allowing the server to authorize access to specific resources.
Reeve uses one additional field in the JWT to provide more context about the user:
organisastions: A list of organisations the user is associated with. This allows the server to determine which organisation’s data the user can access.
In the default setup Keycloak is used as the identity provider. Keycloak is an open-source identity and access management solution that provides features such as single sign-on, user federation, and social login. The default keycloak configuration can be found here: realm-export.json .
Role-Based Access Control
This table provides a comprehensive overview of which roles have access to specific API endpoints and operations. The primary difference between roles is that only Managers can publish transactions and reports to the blockchain.
Access Levels
- ✅ Can Access - Role can access this endpoint
- ✖️ Cannot Access - Role cannot access this endpoint
Endpoint Access Matrix
| Endpoint | Operation | Admin | Manager | Accountant |
|---|---|---|---|---|
| Organisation Management | ||||
/api/v1/organisations | GET (List) | ✅ | ✅ | ✅ |
/api/v1/organisations | POST (Create) | ✅ | ✖️ | ✖️ |
/api/v1/organisations/{orgId} | GET | ✅ | ✅ | ✅ |
/api/v1/organisations/{orgId} | PUT (Update) | ✅ | ✖️ | ✖️ |
/api/v1/organisations/{orgId}/validate | GET | ✅ | ✅ | ✅ |
/api/v1/organisations/{orgId}/events | GET | ✅ | ✅ | ✅ |
| Chart of Accounts | ||||
/api/v1/organisations/{orgId}/chart-of-accounts | GET | ✅ | ✅ | ✅ |
/api/v1/organisations/{orgId}/chart-of-accounts | POST | ✅ | ✖️ | ✖️ |
/api/v1/organisations/{orgId}/chart-of-accounts | PUT | ✅ | ✖️ | ✖️ |
/api/v1/organisations/{orgId}/chart-of-accounts/download | GET | ✅ | ✅ | ✅ |
/api/v1/organisations/{orgId}/chart-types | GET | ✅ | ✅ | ✅ |
| Cost Centers & Projects | ||||
/api/v1/organisations/{orgId}/cost-centers | GET | ✅ | ✅ | ✅ |
/api/v1/organisations/{orgId}/cost-centers | POST | ✅ | ✖️ | ✖️ |
/api/v1/organisations/{orgId}/cost-centers | PUT | ✅ | ✖️ | ✖️ |
/api/v1/organisations/{orgId}/cost-centers/download | GET | ✅ | ✅ | ✅ |
/api/v1/organisations/{orgId}/projects | GET | ✅ | ✅ | ✅ |
/api/v1/organisations/{orgId}/projects | POST | ✅ | ✖️ | ✖️ |
/api/v1/organisations/{orgId}/projects | PUT | ✅ | ✖️ | ✖️ |
| Reference Codes | ||||
/api/v1/organisations/{orgId}/reference-codes | GET | ✅ | ✅ | ✅ |
/api/v1/organisations/{orgId}/reference-codes | POST | ✅ | ✖️ | ✖️ |
/api/v1/organisations/{orgId}/reference-codes | PUT | ✅ | ✖️ | ✖️ |
| Event Codes | ||||
/api/v1/organisations/{orgId}/event-codes | GET | ✅ | ✅ | ✅ |
/api/v1/organisations/{orgId}/event-codes | POST | ✅ | ✖️ | ✖️ |
/api/v1/organisations/{orgId}/event-codes | PUT | ✅ | ✖️ | ✖️ |
| Currency Management | ||||
/api/v1/organisations/{orgId}/currencies | GET | ✅ | ✅ | ✅ |
/api/v1/organisations/{orgId}/currencies | POST | ✅ | ✖️ | ✖️ |
/api/v1/organisations/{orgId}/currencies | PUT | ✅ | ✖️ | ✖️ |
| VAT Codes | ||||
/api/v1/organisations/{orgId}/vat-codes | GET | ✅ | ✅ | ✅ |
/api/v1/organisations/{orgId}/vat-codes | POST | ✅ | ✖️ | ✖️ |
/api/v1/organisations/{orgId}/vat-codes | PUT | ✅ | ✖️ | ✖️ |
| Transaction Management | ||||
/api/v1/transactions | POST (List/Search) | ✅ | ✅ | ✅ |
/api/v1/transactions/{id} | GET | ✅ | ✅ | ✅ |
/api/v1/transactions/approve | POST | ✅ | ✅ | ✅ |
/api/v1/transactions/publish | POST | ✅ | ✅ | ✖️ |
/api/v1/transaction/reject | POST | ✅ | ✅ | ✅ |
| Extraction & Data Import | ||||
/api/v1/extraction | POST (Trigger) | ✅ | ✅ | ✅ |
/api/v1/extraction/validation | POST | ✅ | ✅ | ✅ |
/api/v1/extraction/search | POST | ✅ | ✅ | ✅ |
| Batch Management | ||||
/api/v1/batches | POST (List) | ✅ | ✅ | ✅ |
/api/v1/batches/{batchId} | GET/POST | ✅ | ✅ | ✅ |
/api/v1/batches/reprocess/{batchId} | GET | ✅ | ✅ | ✅ |
| Reporting - Templates | ||||
/api/v1/reporting/templates | GET | ✅ | ✅ | ✅ |
/api/v1/reporting/templates | POST (Create) | ✅ | ✖️ | ✖️ |
/api/v1/reporting/templates | PUT (Update) | ✅ | ✖️ | ✖️ |
/api/v1/reporting/templates/{id} | GET | ✅ | ✅ | ✅ |
/api/v1/reporting/templates/{id} | DELETE | ✅ | ✖️ | ✖️ |
| Reporting - Reports | ||||
/api/v1/reporting/reports | GET | ✅ | ✅ | ✅ |
/api/v1/reporting/reports | POST (Create) | ✅ | ✅ | ✅ |
/api/v1/reporting/reports/{id} | GET | ✅ | ✅ | ✅ |
/api/v1/reporting/reports/{id} | DELETE | ✅ | ✅ | ✅ |
/api/v1/reporting/reports/generate | POST | ✅ | ✅ | ✅ |
/api/v1/reporting/reports/publish | POST | ✅ | ✅ | ✖️ |
/api/v1/reporting/reports/{id}/reprocess | POST | ✅ | ✅ | ✅ |
| Reconciliation | ||||
/api/v1/transactions-reconcile | POST | ✅ | ✅ | ✅ |
/api/v1/reconcile/trigger | POST | ✅ | ✅ | ✅ |
/api/v1/transactions-rejection-codes | GET | ✅ | ✅ | ✅ |
| Utility Endpoints | ||||
/api/v1/transaction-types | GET | ✅ | ✅ | ✅ |
/api/v1/rejection-reasons | GET | ✅ | ✅ | ✅ |
/api/v1/filter-options/{orgId} | GET | ✅ | ✅ | ✅ |
Key Permissions by Role
Admin
- Full access to all endpoints
- Can create, update, delete configurations
- Can manage users and organisations
- Can publish transactions and reports to blockchain
- Can manage all reports and templates
Manager
- Can access and manage transactions and reports
- Can approve and publish transactions to blockchain
- Can create and publish reports to blockchain
- Can trigger extractions and reconciliations
- Cannot create or modify organisational configurations
Accountant
- Can access and manage transactions and reports
- Can approve transactions (but cannot publish them)
- Can create reports (but cannot publish them)
- Can trigger extractions and reconciliations
- Cannot create or modify organisational configurations
- Cannot publish transactions or reports to blockchain