Skip to main content

Authentication & Authorization Overview

Authentication Mechanism

BeTalent services leverage Amazon Cognito for authentication and authorization. Different authentication flows are supported depending on whether the request originates from an end-user through a partner (B2BC) or from a backend service (B2B).

1. B2BC Authentication (Business-to-Business-to-Consumer)

  1. End-User Registration and Login
  • End-users authenticate via partner portals or directly through our secure web interface, using either federated identity providers or standard email/password credentials.
  • After successful login, AWS Cognito issues a JWT (JSON Web Token) for subsequent API requests.
  1. Federated Identity Providers (Partner SSO)
  • We support integration with external Identity Providers (SSO) via OAuth 2.0 or SAML protocols, all managed through AWS Cognito.
  • This allows partner-managed users to access BeTalent without creating separate accounts.
  • See the official AWS Cognito SAML guide for details.
  1. Token Issuance & Use
  • Upon authentication, Cognito returns an access token and ID token in JWT format.
  • Include the access token in the Authorization header of each API call to authenticate the request.
  1. Session & Token Lifecycle
  • Cognito handles token expiration and refresh via refresh tokens.
  • Access tokens are valid for 8 hours; reuse them within that window to minimize re-authentication.
  • When an access token expires, use the refresh token to obtain a new access token, or re-authenticate if needed.

2. B2B Authentication (Machine-to-Machine)

Machine-to-Machine (M2M) authentication is used by backend services requiring automated, unattended access:

  1. Client Credentials
  • Services authenticate with pre-provisioned client ID and client secret, issued by platform administrators.
  1. JWT Generation
  • On successful authentication, Cognito issues a JWT, which must be sent in the Authorization header of all API requests.
  1. Scoped Permissions
  • Access and permissions for B2B clients are governed by assigned roles and scopes within Cognito and our RBAC system.

Authorization Mechanism

Authorization is enforced via Role-Based Access Control (RBAC). Roles and permissions live externally; refer to the SSO & RBAC section for details.

Multi-Tenancy and Tenant Management

BeTalent supports both single- and multi-tenant contexts:

  • Each organization has a unique tenantId (UUID) that isolates data and permissions.
  • API operations typically require the tenantId parameter to ensure correct access control.

Security Best Practices

  • Least Privilege: Grant only necessary permissions for each role.
  • Secure Transport: Always use HTTPS for API calls to protect tokens and data in transit.
  • Token Management: Refresh tokens before expiration; avoid frequent re-authentication.
  • Session Policies: Define clear timeouts and revocation processes for inactive sessions.

Conclusion

BeTalent’s authentication and authorization system, powered by AWS Cognito, delivers secure, scalable access control. It supports both B2BC (partner-mediated user flows) and B2B (machine-to-machine) authentication scenarios, with robust RBAC and multi-tenant isolation.