Authentication

Reeve uses a token-based authentication system to secure access to its APIs and services. This system is designed to ensure that only authorized users can access sensitive financial data and perform actions within the Reeve platform.

Currently four roles are defined and one implicitly defined:

• Admin: This role has full access to all features and functionalities of Reeve, including user management, configuration, and data access.
• Auditor: This role has read-only access to financial data and reports, allowing auditors to review and verify the information without making changes.
• Manager: This role has access to manage financial data and reports and is allowed to publish transactions.
• Accountant: This role has access to manage financial data and reports, but unlike the manager the accountant is not allowed to publish transactions.
• Public: This role is for anonymous users, who can access the public part of reeve.

Token-Based Authentication

Reeve uses JSON Web Tokens (JWT) for authentication. When a user logs in, they receive a token that must be included in the Authorization header of subsequent API requests. The token contains information about the user’s role and permissions, allowing the server to authorize access to specific resources.

Reeve uses one additional field in the JWT to provide more context about the user:

• organisastions: A list of organisations the user is associated with. This allows the server to determine which organisation’s data the user can access.

In the default setup Keycloak  is used as the identity provider. Keycloak is an open-source identity and access management solution that provides features such as single sign-on, user federation, and social login. The default keycloak configuration can be found here: realm-export.json .

Role based access

This overview shows which roles have access to which dedicated endpoint.