Authentication Models

The System portal authenticates all requests through the WEB chain. There is no API chain access for System portal endpoints.

WEB Chain Auth Stack

Every System portal request goes through these layers:

1. Portal context -- X-PORTAL-ACCESS-CODE identifies the System portal
2. Secure Channel v2 -- encrypts sensitive payloads (login, password operations)
3. JWT -- Authorization: Bearer <token> for authenticated endpoints
4. X-Client-Hash -- session fingerprint binding, must stay stable

What Requires Secure Channel

Secure Channel is required for operations that transmit credentials:

1. login initiation
2. registration initiation
3. password reset
4. password change
5. sensitive security center mutations

All other authenticated endpoints only need JWT + portal context.

What To Check Before Calling

1. is X-PORTAL-ACCESS-CODE set
2. is X-Client-Hash present and stable
3. does the endpoint require Secure Channel
4. is Authorization: Bearer <jwt> required

Common 403 Causes

Cause	Fix
Missing or invalid portal access code	Set X-PORTAL-ACCESS-CODE to the System portal code
JWT portal mismatch	The JWT must have been issued for the SYSTEM portal
X-Client-Hash changed mid-session	Keep the same fingerprint for the entire session
Missing Secure Channel on a protected endpoint	Establish a SC session before calling

Read Next

1. Secure Channel
2. Quickstart