Enterprise IAM

Identity as infrastructure

Authentication failures sink fintech projects, so ATK treats identity as product code, not a late add-on. Better Auth secures every web session, OnchainID binds those sessions to on-chain claims, and every action maps back to a verifiable persona.

Sign-in covers passwords, passkeys, and recovery flows. Admins can require TOTP, pin codes, and recovery codes, while portfolio teams start with lighter policies and graduate to stronger factors. Sessions expire daily, refresh securely, and ride in HTTP-only cookies; global rate limits absorb brute-force attempts before they hit business APIs.

Role management lives in Better Auth access statements. The starter roles (admin, user) expand easily—banks can add resources such as compliance policies or reports without rewriting the auth layer. Automation flows use API keys minted through the same service; keys carry explicit scopes, rate limits, revocation paths, and audit trails.

Each authenticated user links to an OnchainID identity. When they mint assets or approve compliance actions, the same persona is checked in Better Auth and in the compliance modules, closing the gap between web IAM and token-level rules.

Access model

Human users sign in through the dApp, complete onboarding, and receive role-based permissions. Automation uses scoped API keys, so bots and batch jobs get just enough access to operate. Compliance modules stand as the third guardrail: even with a valid session, a transfer fails if the holder’s OnchainID claims do not satisfy the token’s policy.

Threat model and controls

Most attacks begin with credential replay or phishing. Passkeys and TOTP remove shared secrets, while pin code and secret-code plugins give support teams a break-glass option that stays auditable. Sessions can be revoked centrally and expire quickly, limiting the blast radius of a compromised device.

API keys are namespaced, rotate without downtime, and emit separate audit events. Teams can disable one integration without touching staff credentials, and rate limits stop runaway scripts from overwhelming services.

Onchain compliance modules force approvals for high-value moves and stop disallowed investors even if someone copied a cookie. Because they execute on-chain, no amount of web manipulation bypasses them.

Prometheus, Loki, and OpenTelemetry collectors ship with the charts, so authentication events, role changes, and compliance rejections land in the same telemetry your security team already monitors. Forwarding into a SIEM becomes configuration, not a new project.

KPIs that prove control

• MFA coverage: aim for 100% of administrators on passkeys or TOTP; watch standard-user adoption curves.
• Passkey uptake: track WebAuthn registrations to learn when to tighten legacy password rules.
• API key hygiene: monitor rotation cadence, unused keys, and the share carrying custom scopes.
• Identity linkage: watch how many active users maintain valid OnchainID claims.
• Access anomalies: review failed logins, rate-limit triggers, and session revocations for spikes.
• Compliance guardrails: report how often modules such as transfer approvals or allowlists block actions; steady numbers reassure auditors.

Those indicators keep security, compliance, and product aligned on whether controls are being used, not just configured.