2.7.3.1 Authentication & Authorization

• JWT Tokens

• Short-lived JWTs for user sessions, including user ID, role, and expiration.

• Refresh Token mechanism if longer sessions are desired (stored securely, not exposed in normal requests).

• Role-Based Access Control (RBAC)

• Distinguishes privileges for Admins, Traders, Standard Users, etc.

• Routes and services check req.user.role to grant or block actions (e.g., user management, trade execution).

• Multi-Factor Authentication (MFA) (Optional)

• Particularly for admin accounts, lead traders, or high-privilege actions.

• TOTP-based solutions (Google Authenticator) or SMS-based tokens via Twilio.