Enterprise Security

Identity Management Done Right

A complete identity platform with JWT authentication, refresh token rotation, webhook events, and multi-tenant support. Built on .NET 10 and Next.js 16.

View ArchitectureExplore Features
auth-flow.http

POST /api/v1.0/auth/login

Authenticating user credentials...

JWT token issued (expires: 60m)

access_token: eyJhbGc...

refresh_token: rft_7d...

created_by_ip: 192.168.1.1

Authentication successful

Roles: Admin, User | Customer: Acme Corp

.NET 10

ASP.NET Core

JWT + RBAC

Secure Auth

Complete Identity Solution

Everything you need for enterprise authentication and authorization, from JWT tokens to webhook integrations.

JWT Authentication

Dual signing (HS256/RS256) with JWKS endpoint, rotating refresh tokens, and IP tracking for audit trails.

Multi-Tenant

Customer-based data isolation with user scoping, addresses, phone numbers, and webhook subscriptions per tenant.

Webhook Events

21 event types with HMAC-SHA256 signing, exponential backoff retries, and delivery tracking.

Full-Stack Architecture

.NET 10 API

ASP.NET Core with CQRS

  • Entity Framework Core 10 with SQL Server
  • MediatR for command/query separation
  • FluentValidation for input validation
  • Serilog structured logging
  • Swagger/OpenAPI documentation

Next.js 16 Frontend

React 19 with TypeScript

  • App Router with protected routes
  • HTTP-only cookie authentication
  • Admin dashboard with user management
  • Tailwind CSS 4 styling
  • Role-based route protection

Enterprise Security Built-In

Production-ready security features out of the box. No configuration required for secure defaults.

Security Headers Applied:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Content-Security-Policy: default-src 'self'

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Referrer-Policy: no-referrer-when-downgrade

Rate Limiting:

Auth endpoints: 5 requests / 60 seconds

Rotating Refresh Tokens

Each refresh token can only be used once. New tokens issued on refresh with IP tracking for security audit.

Data Protection API

Sensitive data encrypted at rest using ASP.NET Core Data Protection with automatic key rotation.

Soft Delete & Audit Trail

All entities support soft delete with automatic query filtering. CreatedDate and UpdatedDate tracked on all records.

Comprehensive REST API

Versioned API endpoints with Swagger documentation. Full CRUD operations for all identity resources.

# Authentication

POST /api/v1.0/auth/login

POST /api/v1.0/auth/register

POST /api/v1.0/auth/refresh-token

POST /api/v1.0/auth/logout

POST /api/v1.0/auth/change-password

# Users

GET  /api/v1.0/users

GET  /api/v1.0/users/{id}

POST /api/v1.0/users

PUT  /api/v1.0/users/{id}

DEL  /api/v1.0/users/{id}

# Customers

GET  /api/v1.0/customers

GET  /api/v1.0/customers/{id}/addresses

GET  /api/v1.0/customers/{id}/phones

GET  /api/v1.0/customers/{id}/users

# Webhooks

GET  /api/v1.0/webhooks/subscriptions

POST /api/v1.0/webhooks/subscriptions

GET  /api/v1.0/webhooks/events

POST /api/v1.0/webhooks/test

Also:/.well-known/jwks.json/healthRolesUserRolesCountriesStates

Comprehensive Test Suite

Unit and integration tests ensure reliability. In-memory database testing for fast, isolated test runs.

Unit Tests

Handler and validator tests with Moq mocking

Integration Tests

Full auth flow with in-memory database

Domain Tests

Entity behavior and business logic coverage

xUnit + FluentAssertions

Modern test framework with readable assertions

Explore the Architecture

Dive into the technical details of JWT authentication, CQRS patterns, and multi-tenant data isolation.

View ArchitectureGitHub (private — available upon request)