← Trust Center & Legal
API & Integrations

API Authentication Policy

Authentication standards for user sessions, Ecom10x APIs and marketplace tokens.

Company: EcomSarthi Business Solutions LLP ("EcomSarthi", "we", "us", "our")
Product: Ecom10x — One Dashboard. Every Marketplace. (the "Platform" or "Service")
Effective Date: [EFFECTIVE_DATE — e.g., 1 August 2026] · Version: [VERSION — e.g., 1.0] · Next Review: [NEXT_REVIEW_DATE — e.g., 1 February 2027]

1. User Authentication

  • Email + password sign-in with server-side verification; passwords hashed with a salted adaptive algorithm (bcrypt) and never stored or logged in plaintext.
  • Login throttling limits repeated failures per identity to resist brute force.
  • Sessions use signed tokens (JWT-based) delivered via secure cookies; sessions expire on logout and after inactivity; sensitive operations may require re-authentication.

2. Ecom10x API Authentication

Programmatic access uses organisation-scoped credentials/bearer tokens issued by us. Requirements: TLS-only transport; credentials kept server-side (never in browsers or public repos); rotation on suspicion of exposure; and immediate revocation support on request or on security events.

3. Marketplace Token Handling

  • Tokens are obtained only through each Marketplace's official authorisation flow (see OAuth Permission Policy). We never derive tokens from user passwords because we never possess them.
  • Storage: encrypted at rest; masked in every interface; excluded from logs, error reports, analytics and exports.
  • Use: strictly for the authorised scopes on behalf of the owning organisation; refresh tokens are exchanged per marketplace specification; token material is never shared between organisations or with third parties.
  • Lifecycle: deleted within 24 hours of disconnection or detected revocation; rotated per marketplace requirements.

4. Service-to-Service Secrets

Internal secrets (database credentials, provider keys) are environment-scoped, access-restricted, excluded from source control, and rotated on personnel change or suspected exposure.

5. Failure Handling

Authentication failures return generic errors (no account-existence disclosure); repeated anomalies raise security events per the Incident Response Policy.

6. Customer Obligations

Protect your own credentials and any API tokens we issue you as confidential; report exposure immediately to [SECURITY_EMAIL — e.g., security@ecom10x.in].

Governing Law & Dispute Resolution

This document is governed by and construed in accordance with the laws of India, including the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023, without regard to conflict-of-law principles.

Any dispute arising out of or in connection with this document shall first be attempted to be resolved amicably through good-faith negotiation within thirty (30) days of written notice. Failing amicable resolution, the dispute shall be referred to arbitration by a sole arbitrator appointed in accordance with the Arbitration and Conciliation Act, 1996. The seat and venue of arbitration shall be [JURISDICTION_CITY — e.g., New Delhi], India, and proceedings shall be conducted in English. Subject to the foregoing, the courts at [JURISDICTION_CITY — e.g., New Delhi], India shall have exclusive jurisdiction.

Contact

EcomSarthi Business Solutions LLP
[REGISTERED_OFFICE_ADDRESS OF ECOMSARTHI BUSINESS SOLUTIONS LLP]
Support: [SUPPORT_EMAIL — e.g., support@ecom10x.in] · Legal: [LEGAL_EMAIL — e.g., legal@ecom10x.in] · Phone: [SUPPORT_PHONE_NUMBER]