DEV Community: Team Cargoffer The latest articles on DEV Community by Team Cargoffer (@team_cargoffer_6de1a8647d). https://dev.to/team_cargoffer_6de1a8647d https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3991906%2F4e9b9c8f-495a-4117-bbf4-2740aa28859b.png DEV Community: Team Cargoffer https://dev.to/team_cargoffer_6de1a8647d en Authentication Patterns for Multi-Tenant Microservices in TRANSCEND Team Cargoffer Fri, 19 Jun 2026 08:03:52 +0000 https://dev.to/team_cargoffer_6de1a8647d/authentication-patterns-for-multi-tenant-microservices-in-transcend-2lka https://dev.to/team_cargoffer_6de1a8647d/authentication-patterns-for-multi-tenant-microservices-in-transcend-2lka <h1> Authentication Patterns for Multi-Tenant Microservices in TRANSCEND </h1> <p>When building a logistics platform like TRANSCEND, you're not just building one service—you're building dozens of microservices that need to talk to each other securely. In this post, we'll dive into the authentication patterns that keep TRANSCEND's ecosystem safe and scalable.</p> <h2> The Problem: Multiple Services, One Identity </h2> <p>TRANSCEND consists of over 15 microservices (POI, Stations, Toll, Drivers, Vehicles, Pay, IAM, etc.). Each service needs to verify that incoming requests are legitimate and identify the user making the request.</p> <p>The naive approach would be to have each service validate JWTs directly with its own secret—but this creates a coupling problem: when you rotate secrets, you have to update every service.</p> <h2> TRANSCEND's Solution: IAM as the Source of Truth </h2> <p>TRANSCEND uses a pattern where <strong>IAM (Identity and Access Management) is the sole issuer of JWTs</strong>, and other services verify tokens through a two-step process:</p> <ol> <li> <strong>Local verification first</strong> (fast path)</li> <li> <strong>IAM fallback</strong> (slow path, but source of truth)</li> </ol> <h3> Code Pattern: auth.middleware.ts </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// 1. Try local verification first</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_SECRET</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">NoJoke.Brother</span><span class="dl">'</span><span class="p">);</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">decoded</span><span class="p">;</span> <span class="c1">// 2. Fallback: verify via IAM service</span> <span class="kd">const</span> <span class="nx">iamUser</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">verifyViaIAM</span><span class="p">(</span><span class="nx">token</span><span class="p">);</span> <span class="c1">// GET /auth/validate-token</span> <span class="k">if </span><span class="p">(</span><span class="nx">iamUser</span><span class="p">)</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">iamUser</span><span class="p">;</span> </code></pre> </div> <p>This gives you the best of both worlds: fast local validation for most requests, with a safety net that ensures tokens issued by IAM are always accepted—even if a service's JWT_SECRET is temporarily out of sync.</p> <h2> JWT Payload Normalization: Handling Legacy vs Real Tokens </h2> <p>One of the sneakiest bugs in microservices is assuming all JWTs have the same payload structure. TRANSCEND learned this the hard way when migrating from local development tokens to production IAM tokens.</p> <h3> The Difference </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Field</th> <th>Legacy Dev JWT</th> <th>Real IAM JWT</th> </tr> </thead> <tbody> <tr> <td><code>userId</code></td> <td>✅ Present</td> <td>❌ Missing</td> </tr> <tr> <td><code>_id</code></td> <td>❌ Missing</td> <td>✅ Present</td> </tr> <tr> <td><code>companyId</code></td> <td>✅ Present</td> <td>❌ Missing</td> </tr> <tr> <td><code>accountType</code></td> <td>❌ Missing</td> <td>✅ Present</td> </tr> <tr> <td><code>subscription_type</code></td> <td>✅ Present</td> <td>❌ Missing</td> </tr> <tr> <td><code>subscriptionStatus</code></td> <td>❌ Missing</td> <td>✅ Present</td> </tr> </tbody> </table></div> <h3> The Fix: normalizePayload() </h3> <p>TRANSCEND uses a normalization function that works with both formats:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">normalizePayload</span><span class="p">(</span><span class="nx">raw</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">any</span><span class="o">&gt;</span><span class="p">):</span> <span class="nx">TokenDecoded</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">uid</span> <span class="o">=</span> <span class="nx">raw</span><span class="p">.</span><span class="nx">userId</span> <span class="o">||</span> <span class="nx">raw</span><span class="p">.</span><span class="nx">_id</span> <span class="o">||</span> <span class="nx">raw</span><span class="p">.</span><span class="nx">sub</span> <span class="o">||</span> <span class="dl">''</span><span class="p">;</span> <span class="k">return</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="k">typeof</span> <span class="nx">uid</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">object</span><span class="dl">'</span> <span class="p">?</span> <span class="nc">String</span><span class="p">(</span><span class="nx">uid</span><span class="p">)</span> <span class="p">:</span> <span class="nx">uid</span><span class="p">,</span> <span class="na">_id</span><span class="p">:</span> <span class="nx">raw</span><span class="p">.</span><span class="nx">_id</span> <span class="o">||</span> <span class="nx">raw</span><span class="p">.</span><span class="nx">userId</span> <span class="o">||</span> <span class="nx">uid</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">raw</span><span class="p">.</span><span class="nx">email</span> <span class="o">||</span> <span class="dl">''</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="nx">raw</span><span class="p">.</span><span class="nx">role</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span><span class="p">,</span> <span class="na">companyId</span><span class="p">:</span> <span class="nx">raw</span><span class="p">.</span><span class="nx">companyId</span> <span class="o">||</span> <span class="nx">raw</span><span class="p">.</span><span class="nx">company_id</span> <span class="o">||</span> <span class="kc">undefined</span><span class="p">,</span> <span class="na">iat</span><span class="p">:</span> <span class="nx">raw</span><span class="p">.</span><span class="nx">iat</span> <span class="o">||</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">/</span> <span class="mi">1000</span><span class="p">),</span> <span class="na">exp</span><span class="p">:</span> <span class="nx">raw</span><span class="p">.</span><span class="nx">exp</span> <span class="o">||</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">/</span> <span class="mi">1000</span><span class="p">)</span> <span class="o">+</span> <span class="mi">3600</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>This function is used both in local JWT verification and when processing the response from IAM's <code>/auth/validate-token</code> endpoint.</p> <h2> Multi-Tenant Isolation: The companyId Problem </h2> <p>TRANSCEND is multi-tenant: each driver, vehicle, and load belongs to a company. But the IAM JWT doesn't contain a <code>companyId</code> field—it contains <code>accountType</code> (which can be <code>"multitenant"</code> or <code>"dedicated"</code>).</p> <p>So how do services know which company a user belongs to?</p> <p><strong>Answer:</strong> The <code>companyId</code> is stored in the user's profile in the IAM database, and services must fetch it when needed.</p> <h3> The Three-Layer Auth Pattern </h3> <p>Every TRANSCEND service that checks ownership uses this pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// LIST — admin sees all, regular user sees own + company's</span> <span class="k">if </span><span class="p">(</span><span class="nx">owner</span> <span class="o">&amp;&amp;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">?.</span><span class="nx">role</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">companyId</span><span class="p">)</span> <span class="nx">q</span><span class="p">.</span><span class="nx">companyId</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">companyId</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">owner</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">companyId</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">?.</span><span class="nx">companyId</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">companyId</span><span class="p">)</span> <span class="nx">q</span><span class="p">.</span><span class="nx">$or</span> <span class="o">=</span> <span class="p">[{</span> <span class="nx">owner</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">companyId</span> <span class="p">}];</span> <span class="k">else</span> <span class="nx">q</span><span class="p">.</span><span class="nx">owner</span> <span class="o">=</span> <span class="nx">owner</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// GET / UPDATE / DELETE — admin can access any, regular user only own</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">?.</span><span class="nx">userId</span> <span class="o">&amp;&amp;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">?.</span><span class="nx">role</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nc">String</span><span class="p">(</span><span class="nx">doc</span><span class="p">.</span><span class="nx">owner</span><span class="p">)</span> <span class="o">!==</span> <span class="nc">String</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">userId</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">returnKO</span><span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="mi">403</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Forbidden</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Note that <code>req.user?.companyId</code> is populated by fetching the user's profile from IAM when the user logs in or on first request.</p> <h2> Service-to-Service Auth: The x-api-key Pattern </h2> <p>When one TRANSCEND service calls another (e.g., the Route service calling the Toll service), they don't use JWTs—they use a shared internal API key.</p> <h3> The Convention </h3> <ul> <li> <strong>Header</strong>: <code>x-api-key</code> (case-insensitive)</li> <li> <strong>Value</strong>: The <code>INTERNAL_API_KEY</code> environment variable</li> <li> <strong>URL Pattern</strong>: <code>https://&lt;service&gt;.transcend.cargoffer.com/api</code> (prod) or <code>https://&lt;service&gt;-release.transcend.cargoffer.com/api</code> (staging)</li> </ul> <h3> Why Not JWT? </h3> <p>Service-to-service calls are frequent and low-latency. Validating a JWT on every internal call would add overhead. The API key pattern is:</p> <ul> <li>Simple to implement</li> <li>Fast (just a string comparison)</li> <li>Easy to rotate (update the env var and restart)</li> </ul> <h3> Migration Pattern: Destructuring with Alias </h3> <p>Many services still reference <code>SYS_API_KEY</code> in their code. The migration pattern is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Before</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">TRANSCEND_TOLLS_URL</span><span class="p">,</span> <span class="nx">SYS_API_KEY</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">;</span> <span class="c1">// After (zero-downtime)</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">TRANSCEND_TOLLS_URL</span><span class="p">,</span> <span class="na">INTERNAL_API_KEY</span><span class="p">:</span> <span class="nx">SYS_API_KEY</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">;</span> </code></pre> </div> <p>This reads the canonical <code>INTERNAL_API_KEY</code> and aliases it to the old <code>SYS_API_KEY</code> name, so existing code continues to work.</p> <h2> Pitfalls &amp; Lessons Learned </h2> <h3> 1. JWT_SECRET Sync is Critical </h3> <p>If IAM and a microservice have different <code>JWT_SECRET</code> values, the local verification will fail and fall back to IAM—but if the fallback is misconfigured, you get authentication loops.</p> <p><strong>Fix:</strong> Always copy IAM's <code>JWT_SECRET</code> to new services during deployment.</p> <h3> 2. Global Axios Interceptors Cause Logout </h3> <p>TRANSCEND's frontend has a global axios interceptor that logs out the user on any 401. If a secondary service (like Tacograph) returns 401 due to misconfiguration, the user gets logged out of the entire system.</p> <p><strong>Fix:</strong> Use local axios instances for non-IAM services:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">localAxios</span> <span class="o">=</span> <span class="nx">axios</span><span class="p">.</span><span class="nf">create</span><span class="p">();</span> <span class="c1">// No global interceptors</span> </code></pre> </div> <h3> 3. .env Files Are Easy to Misconfigure </h3> <p>Because <code>.env</code> files are gitignored, it's easy to drift between environments.</p> <p><strong>Fix:</strong> Include API key validation in your health check endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/health</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">INTERNAL_API_KEY</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Missing INTERNAL_API_KEY</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ok</span><span class="dl">'</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h2> Conclusion </h2> <p>TRANSCEND's authentication ecosystem showcases several patterns that are valuable for any multi-tenant microservices architecture:</p> <ol> <li> <strong>Centralized token issuance</strong> with local verification + fallback</li> <li> <strong>Payload normalization</strong> to handle token evolution</li> <li> <strong>Multi-tenant isolation</strong> using a combination of JWT claims and profile data</li> <li> <strong>Service-to-service authentication</strong> with shared internal keys</li> <li> <strong>Zero-downtime migration patterns</strong> for legacy code</li> </ol> <p>These patterns have kept TRANSCEND secure and scalable as it grew from a single service to a complex logistics platform.</p> <p><em>This is part of the "TRANSCEND Architecture Deep Dive" series. Next: "Building a Geocoding Service with Points of Interest API".</em></p> architecture microservices security systemdesign