12. 🛡️Security Considerations

The Kleber App follows essential security practices to protect user data and ensure secure communication with the InvestGlass backend. Below is a summary of how authentication, token handling, caching, and secure communication are implemented.

🔐 Token-Based Authentication

  • All API requests are authenticated using an access token
  • Token behavior:
    • ⏱️ Expires after 15 minutes of inactivity
    • 🕛 Invalidated automatically after 24 hours
  • If the token is expired or missing:
    • The app receives a 401 Unauthorized response
    • The user is redirected to the login/onboarding screen

🧾 Two-Factor Authentication (OTP)

  • The app supports OTP verification for enhanced login security
  • Relevant endpoints:
    • /portal_auth/send_otp
    • /portal_auth/verification_code
  • Used post-login for verification

📦 Caching Policy

  • Only non-sensitive data is cached:
    • Selected theme (dark / light / system)
    • Selected language
    • Temporary file/image previews
  • On logout:
    • All cached data is cleared
    • Only theme and language settings are preserved

📡 Secure API Communication

  • All communication is encrypted via HTTPS
  • Base API endpoints:
    • https://staging.investglass.com/client_portal_api/
    • https://app.investglass.com/client_portal_api/
  • Used for login, documents, portfolios, transactions, etc.

🚫 Local Data Storage

  • No sensitive personal or financial data is stored on the device
  • Token and session data are short-lived and securely cleared
  • Local preferences are stored only when required (e.g., theme)

✅ Summary Table

FeatureDescription
🔑 Access TokenRequired for all API requests; expires after 15 min idle or 24h total
🧾 OTPTwo-factor authentication supported using verification endpoints
📦 Local CachingLimited to UI preferences and temporary previews
🧹 Cache on LogoutCleared on logout except for theme/language
🔒 HTTPS CommunicationAll API traffic is secured via HTTPS
❌ Local Financial StorageNo persistent storage of personal or financial data on device