SapienStream

Security & Compliance

Implemented

Enterprise-grade security with industry compliance standards. Our security framework is fully implemented and operational, providing robust protection for industrial data.

Core Security Features

JWT Authentication
Implemented
Secure JSON Web Token authentication with configurable expiration and refresh capabilities.
HS256 signing algorithm
Configurable token expiration
Secure password hashing (bcrypt)
Token validation middleware
Role-Based Access Control
Implemented
Comprehensive RBAC system with hierarchical permissions and fine-grained access control.
Role hierarchy (Admin, Manager, Operator, Viewer)
Permission-based endpoint protection
Resource-level access control
Dynamic permission checking
Audit Logging
Foundation Ready
Comprehensive audit logging system for compliance and security monitoring.
Complete audit log data model
Query and analytics endpoints
User action tracking
Automatic mutation logging (in progress)
API Key Management
Foundation Ready
API key authentication system for programmatic access with basic management capabilities.
API key generation and storage
Header-based authentication
User association and tracking
Scoped permissions (planned)

Authentication Methods

JWT Token Authentication
Primary authentication method for user sessions
# Login to get JWT token
curl -X POST https://sapienstream.com/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "username": "your_username",
    "password": "your_password"
  }'

# Response includes access token
{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "bearer",
  "expires_in": 3600,
  "user": {
    "id": "user_123",
    "username": "your_username",
    "role": "OPERATOR",
    "permissions": ["tags:read", "machines:read"]
  }
}

# Use token in subsequent requests
curl https://sapienstream.com/api/machines \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
API Key Authentication
For programmatic access and automation scripts
# Get current user info with API key
curl https://sapienstream.com/api/auth/me \
  -H "X-API-Key: your_api_key_here"

# Use API key for machine operations
curl https://sapienstream.com/api/machines \
  -H "X-API-Key: your_api_key_here"

# Write tag data with API key
curl -X POST https://sapienstream.com/api/machines/{machine_id}/tags/{tag_name}/write \
  -H "X-API-Key: your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "value": 42.5,
    "quality": "GOOD"
  }'

Permission System

Role Hierarchy
Built-in roles with increasing levels of access

ADMIN

Full system access

  • • User management
  • • System configuration
  • • All CRUD operations
  • • Audit log access

FACILITY_MANAGER

Operations management

  • • Machine management
  • • Tag configuration
  • • Process oversight
  • • Team coordination

OPERATOR

Day-to-day operations

  • • Read machine data
  • • Write tag values
  • • Monitor systems
  • • Basic reporting

VIEWER

Read-only access

  • • View dashboards
  • • Read reports
  • • Monitor status
  • • No modifications

Security Hardening

Infrastructure Security
Docker containerization
Nginx reverse proxy
Cloudflare SSL termination
Localhost-only container bindings
Non-root container users
Capability dropping
Application Security
CORS configuration
Rate limiting middleware
Security headers
Request ID tracking
Structured security logging
Environment variable protection

Compliance & Monitoring

Audit and Compliance

Current Capabilities

User action logging
API access tracking
Security event monitoring
Audit log analytics endpoints

In Development

Document compliance tracking
Automated compliance reporting
Regulatory documentation management
Audit trail integrity verification

Security is Ready

Our security infrastructure is fully operational and protecting your industrial data today.

Create user accounts with appropriate roles
Generate API keys for automation
Monitor audit logs for compliance
Leverage RBAC for team access control