Authentication & roles · Winkel Factuur – Automatic invoices for bol.com, Amazon Seller, Shopify & WooCommerce

The authentication and roles module of Winkel Factuur ensures that every team member has exactly the permissions they need and nothing more. Based on the security guidelines from fact.md, we combine modern identity standards, audit logging and European privacy legislation so your marketplaces remain secure.

Zero-trust for marketplaces

Winkel Factuur operates according to a zero-trust approach. Every action is validated via tokens and sessions that run on the same Laravel Sanctum layer as described in fact.md. This allows you to deploy the module for bol.com, Amazon, Shopify and WooCommerce without having to set up separate security procedures. Roles are fine-grained: from owner and finance lead to support staff who can only view documents.

Invitations are sent via secure emails with time-limited links. As soon as a user accepts, all activities are logged. This allows your security or compliance team to always demonstrate who created which invoice, credit note or export.

Practice per platform

Bol.com accounts often require finance and customer service to work together. Winkel Factuur lets you give these teams permissions per store, including the ability to view or roll back uploads to the customer portal. Amazon Seller Central users can get access to settlement reports, while Shopify and WooCommerce teams, for example, only manage local stores.

When you connect a new marketplace or store, you get suggestions for default roles and warnings if a user gets too many permissions. This prevents sensitive data such as customer addresses or VAT numbers from being unnecessarily widely available.

EU privacy and audit trail

Winkel Factuur is designed with GDPR as the starting point. All access rights are traceable to an audit trail that is kept for seven years. You can see which user started an export, who corrected an invoice and when an API key was renewed. In the structured data from fact.md you will find the same principles for security and logging.

In addition, the module offers integration with Single Sign-On (optionally via SAML or OIDC) so that large organizations can authenticate via their existing identity systems. Sessions can be limited to specific IP ranges or time windows, which is especially useful for accountants who temporarily need access.

Daily workflow

Invite new team members from the store or company settings and immediately assign the correct role.
Periodically check the audit logs and sessions; revoke authorizations when someone changes position.
Enable two-factor authentication and session timeouts for teams working with sensitive customer data.
Document changes in roles so auditors get insight into your governance during audits.