SWAIN

Security

Enterprise-grade security built into every layer: modern auth, fine-grained authorization, and safe-by-default data access.

Authentication

Flexible authentication with JWT and API keys. Simple to configure, secure by design.

JWT Bearer Tokens

  • JWT (HS512) with configurable lifetimes
  • Access + refresh flows
  • Claims: user, roles, scopes

API Key Authentication

  • Secure key generation
  • Key expiration + revocation
  • Usage tracking
Authentication Headers
# JWT Bearer Token
Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9...

# API Key
X-API-KEY: sk_live_a1b2c3d4e5f6...

Row-Level Security (RLS)

Row-Level Security (RLS) enforces tenant isolation and least-privilege access. Policies apply before queries run and combine safely with user filters.

RLS Features

  • Entity/action permissions
  • Nested relationship filters
  • Wildcard support (*)

Permission Scopes

  • filterParent and filterChild
  • Multi-level relationships
  • Same filter syntax as API
RLS JWT Claims Example
{
  "sub": 123,
  "email": "user@example.com",
  "roles": ["tenant_admin"],
  "allowed_scopes": [
    {
      "entity_name": "orders",
      "allowed_actions": ["read", "update"],
      "scope_expression": {
        "expressions": [
          {"field": "tenant_id", "operator": "eq", "value": 456}
        ]
      }
    }
  ]
}

Role-Based Access Control (RBAC)

RBAC with roles and permissions. Permissions use the same expression syntax for consistency.

User & Role Management

  • Many-to-many roles
  • Default roles on signup
  • Inheritance across roles

Permission System

  • CRUD/action permissions
  • JSON scope expressions
  • Wildcard entity/actions

Transport & Middleware Security

Production-ready middleware: security headers, CORS, request protection. All sensitive operations over HTTPS.

Security Middleware

  • Configurable CORS
  • Security headers
  • Logging + error handling

Request Protection

  • Auth extraction + validation
  • Session refresh
  • Layered middleware
Security Headers
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type, Authorization, X-CSRF-Token
Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE

Data Protection

Defense-in-depth from input validation to DB operations. Parameterized queries prevent injection; validation at every layer.

Query Security

  • Parameterized queries
  • Prepared statements
  • Input sanitization

Data Validation

  • Schema/type validation
  • Operator + relationship checks
  • Transactions; safe error messages