Seller Orchestra Internal API Mapping

Security

Password management and security settings for seller accounts

1 API

3-Layer Architecture

API Gateway

→

Seller Admin

→

User Service

Change Password

Update password with current password verification

PUT

GatewayPUT /seller/api/v1/security

Body: { current_password, new_password }

↓

OrchestraPUT /merchant/api/v1/security

↓

User Service

POST /api/auth/validateVerify current password PUT /api/securityUpdate with bcrypt hash DELETE /api/sessions/user/:id/except/:currentInvalidate other sessions

↓

CacheDELETE user-{userId}Invalidate

Password Requirements

Min 8 chars Max 128 chars 1 Uppercase 1 Lowercase 1 Number Not common Not same as old Not username

Rate Limiting

5 attempts/hour 10 failed logins = lockout 15 min lockout duration

Security Actions

Email: Password changed confirmation Other sessions invalidated Audit log: password_changed

Session Security

Token Expiry

JWT Access Token: 24 hours

Refresh Token: 30 days

Session Tracking

Device fingerprinting enabled

Multi-device support