Authentication
The difference between session authentication and ingestion API-key authentication.
Console access
Session-based authentication for operators working in the dashboard, alerts, cases, rules, and reports.
Ingestion access
Machine-to-machine authentication for sending transactions through the organization ingestion API.
Security controls
MFA, recovery flows, role-based access, and server-side authorization enforcement.
Two authentication models
WatchTower uses two authentication models because two different actors interact with the product.
- human operators using the console
- systems sending transactions into the platform
Console session authentication
Console users sign in with email and password. After successful authentication, WatchTower creates an authenticated session using an HttpOnly cookie.
Used for
- the dashboard
- settings
- alerts
- cases
- reports
- rules management
- notifications
Ingestion API-key authentication
Transaction ingestion uses an organization-scoped machine-to-machine model.
Used for
- POST /api/v1/transactions
- backend and middleware integrations
- simulator and controlled test traffic
MFA and password security
WatchTower supports TOTP-based MFA through authenticator apps. Backup codes are issued during setup, and MFA is managed from the Security section of the console.
Recovery and password flows
- login
- password reset request
- reset-token validation
- password reset completion
- authenticated password change
Roles and access
Route access and operational actions are enforced server-side according to role and organization membership.
Organization roles
- ADMIN
- RISK_LEAD
- ANALYST
- VIEWER
Require MFA for admins and risk leads, keep ingestion keys in a backend secret store, rotate keys when integration ownership changes, and review member roles regularly.