← Devlog

July 02, 2026 · 214 views

How I built zero-trust auth for a government marketplace

RBAC, three KYC pipelines, and token rotation — without locking real vendors out.

So the very first thing they handed me on the Govt of India marketplace was authentication. Not the fun kind — the "if this leaks, it's a national news headline" kind. No pressure, right? The rule was zero-trust: assume every request is a stranger until it proves otherwise. Nobody gets in on a plain login. Every vendor has to pass real KYC first. I ended up building three separate verification pipelines — GSTIN, PAN, and bank account — each talking to a different checker and each able to fail in its own annoying way. The trick was making them independent, so a slow bank check couldn't block the PAN check, and one failure gave a clear reason instead of a generic "try again". On top of that I wired role-based access control, so a vendor, an approver, and an admin literally cannot see each other's screens. Then JWT with refresh-token rotation — every refresh burns the old token, so a stolen token is useful for about five minutes, not forever. The bit I'm quietly proud of: vendors upload documents as PDFs, and instead of forcing a download, I rendered an inline preview right in React so approvers could eyeball a document without leaving the page. Shipped the whole module in under a month, coordinating five engineers. Auth is boring when it works. That's the whole point.