Storing GDS, accounting, card and payment credentials per tenant puts Voyagent in DPDP and PCI-DSS territory from day one. We designed for that reality from the first commit.
In-house email + password auth with argon2id password hashing, short-lived HS256 access JWTs, and hashed refresh tokens persisted in Postgres. Sessions live in httpOnly cookies; refresh happens at the edge, never the driver layer. An admin can revoke a session immediately via a Redis-backed JWT denylist — no waiting for natural expiry.
One tenant per agency, with sub-tenants for branches and desks. Tenancy is a first-class column on every domain object — queries, audit rows, and driver invocations all carry tenant_id and are isolated at the data plane.
Per-tenant credentials (GDS, accounting, payment gateways, portal sessions) are stored under envelope encryption with per-tenant KMS keys. BYO-key is supported at the vault interface for enterprise tenants that require it.
Roles include agent, senior_agent, accountant, admin, and auditor. Approval workflows are configurable: 'issue_ticket above ₹X requires senior_agent', 'post_journal_entry always requires accountant confirmation'. Scope is per-domain and per-action, not global.
Every side-effect tool call records actor, tenant, inputs, outputs, the driver invoked, approvals, and timestamps — append-only, exportable for CA/auditor review. Auth failures are rate-limited and written to the same stream so brute-force attempts are investigable.
Residency is abstracted for both Indian DPDP Act compliance and GDPR-ready expansion. Tenant data, credentials, and audit rows have declared residency zones; the platform refuses cross-zone reads unless the tenant explicitly opts in.
Voyagent is in early access. We onboard a small number of agencies each month with white-glove setup of drivers, data, and approval workflows.