• English
  • Deutsch
  • Français
  • Español
Live demo GitHub Patreon

Function · Security Built

Secure by design, simple to start.

openWCS validates a JWT at the gateway, enforces per-endpoint role-based access on every service, and delegates authentication to Keycloak. All of it is toggleable — run wide-open in dev, then flip security on and lock down for production without rewiring the app.

How it works

Authenticate at the edge, authorize per endpoint.

The gateway proves who you are and forwards the identity; each service decides what you may do from a shared role→permission catalog. Authentication is Keycloak's job; openWCS layers RBAC on top.

Gateway JWT

Validate at the edge

With security enabled, the gateway validates the JWT against the Keycloak realm, requires auth on every /api/** route, and forwards the identity (user + roles) to the services behind it.

Keycloak

Auth is delegated

Authentication itself is Keycloak's job — compose imports an openWCS realm. openWCS doesn't reinvent login; it trusts the validated token and focuses on what each role is allowed to do.

Per-endpoint RBAC

Every service guards itself

An RbacFilter on each service maps HTTP method + path to a required coded permission — so authorization is enforced at every service, not only at the gateway. Defence in depth, not a single front door.

Role catalog

Roles → permissions

A pure role→permission catalog in shared code defines coded permissions (ALLOCATION_RUN, DEVICE_OPERATE, ORDER_VIEW, TXLOG_VIEW, and more). One catalog, consistently applied across services.

Identity propagation

Carry the caller inward

Service-to-service calls forward the asserted identity, so a downstream service (allocation → inventory) authorizes against the original caller's roles — not a blanket service account.

Toggleable

Start simple, lock down

The whole stack is gated by a single switch. Develop and demo with security off, then enable JWT validation and RBAC for production — no code change, just configuration.

Warehouse scope

Scoped to their warehouses

Each user is mapped to the warehouses they may work in, with one default selected automatically on login. The gateway rejects any request outside that set — operators only ever see and act on their own sites.

At a glance

Token → identity → permission.

  client ─► Keycloak (authenticate) ─► JWT
                                              │
  request ─► API gateway  ── validate JWT vs realm · require auth on /api/**
                       │  forward identity (X-Auth-User · X-Auth-Roles)
                       ▼
            service RbacFilter  ── method + path → required permission
                       │  role→permission catalog (shared)
                       │  service→service calls propagate the caller's identity
                       ▼
            allowed ── or 403  ·  (all of it toggleable: dev off → prod on)

Open & auditable

Access control you can read.

The role catalog, the gateway and every RbacFilter are open source — so you can see exactly which role may call which endpoint, and change it. No hidden grants.

View on GitHub Host API deep dive