The PlantCare Enterprise API implements a Zero Trust security model. Every request is authenticated at multiple layers to ensure data integrity and privacy.

1. Client-to-API Authorization (API Keys)

Clients authenticate with a permanent pk_ent_ key provided during onboarding. This key is validated by the Google Cloud API Gateway.

sequenceDiagram participant Client participant GW as "API Gateway" participant KV as "Secret Manager" participant API as "Backend Service" Client->>GW: "Request with Bearer pk_ent_..." GW->>KV: "Validate Key & Permissions" alt "Valid Key" GW->>API: "Proxy Request + Identity Headers" else "Invalid Key" GW-->>Client: "401 Unauthorized" end

2. Storage Security (Malware Scanning)

Every image uploaded to the Enterprise API is automatically scanned for viruses and malware before it is processed. This is handled by an asynchronous Cloud Storage Trigger.

sequenceDiagram participant GCS as "Cloud Storage" participant Func as "Scan Function" participant Scan as "Malware Scanner" GCS->>Func: "Event: Object Finalized" Func->>Scan: "OIDC Authorized Scan Request" Scan->>Scan: "Malware Signature Analysis" alt "Infected File" Scan-->>Func: "Status: infected" Func->>GCS: "DELETE Object" Func->>Func: "Log Security Incident" else "Clean File" Scan-->>Func: "Status: clean" end

3. Service-to-Service Authorization (OIDC)

When the Backend Service needs to call internal services (like the Image Processor), it does not use a shared secret. Instead, it uses OIDC ID Tokens fetched from the Google Metadata Server.

sequenceDiagram participant API as "Analyze Service" participant Meta as "GCP Metadata Server" participant Proc as "Image Processor" API->>Meta: "Fetch ID Token (Audience: Processor URL)" Meta-->>API: "Signed JWT ID Token" API->>Proc: "POST /process (Authorization: Bearer JWT)" Proc->>Proc: "Validate JWT with Google PubKeys" alt "Valid Token" Proc-->>API: "200 OK (Processed Image)" else "Invalid Token" Proc-->>API: "403 Forbidden" end

3. Network Isolation

To further harden the system, the Image Processor is configured with INGRESS_TRAFFIC_INTERNAL_ONLY. This means it is physically unreachable from the public internet, even with a valid token. Communication is routed through a private VPC Serverless Connector.