Dealer desk & back office
Beyond the Tenant API (/v1/*), Caravan exposes two operator realms. Machine clients reach them with a realm key; people reach the same routes through the browser console with a passkey session and the right role (see Authentication → The console). This page is an orientation map, not a field-level reference — the full, always-current shapes are in the API explorer.
Dealer desk — /broker/v1/*
The brokerage's back office: review the order queue, execute or reject orders, approve funding, and read the blotter, exposure, accounts, and end-of-day summary. Machine auth is X-Console-Key; a human dealer uses a dealer-persona session. Write actions are grant-gated (orders:execute, funding:approve) and money actions require a step-up-fresh session.
| Endpoint | Purpose | Grant |
|---|---|---|
GET /broker/v1/queue | orders awaiting execution | queue:read |
POST /broker/v1/queue/{id}/execute | execute a queued order | orders:execute |
POST /broker/v1/queue/{id}/reject | reject a queued order | orders:execute |
GET /broker/v1/funding | funding requests awaiting approval | funding:read |
POST /broker/v1/funding/{id}/approve | approve a funding request | funding:approve |
POST /broker/v1/funding/{id}/reject | reject a funding request | funding:approve |
GET /broker/v1/blotter | execution blotter | blotter:read |
GET /broker/v1/exposure | aggregate broker exposure | exposure:read |
GET /broker/v1/accounts | accounts opened at this broker | exposure:read |
GET /broker/v1/eod | end-of-day reconciliation summary | eod:read |
GET /broker/v1/reference/* | dealer-view instruments / bonds | reference:read |
GET /broker/v1/markets/{m}/instruments/{s}/book | L2 order-book depth | orderbook:read |
Back office — /admin/*
Platform operations: tenant and broker provisioning, reconciliation, surveillance alerts, complaints, audit verification, key rotation, market-data oversight, and IAM. Machine auth is X-Admin-Key; a human operator uses an ops-persona session.
Two-person (maker–checker) actions
Money- and access-affecting changes follow a two-person rule, enforced in the database (maker ≠ checker):
| Endpoint | Purpose |
|---|---|
POST /admin/actions | propose a privileged change (grant <base>:propose) |
POST /admin/actions/{id}/approve | approve & execute as a different admin (grant <base>:approve, step-up) |
GET /admin/actions | list proposed / approved actions |
The bases under the strict split include ledger:adjust, broker:create, fee-schedule:update, binding:update, keys:rotate-kek / rotate-dek, console-users:manage / :disable, console-roles:assign, passkey:unlock, break-glass, idp-config:update, corp-action:process, and marketdata:replay. The security role is the designated maker; approver signs off; no single non-superuser role holds both sides.
IAM & access governance (SOC2 track)
| Endpoint | Purpose |
|---|---|
GET /admin/access-review | current access snapshot (who holds what) |
POST /admin/access-reviews | open a periodic access-review campaign (access-review:open) |
POST /admin/access-reviews/{id}/decisions | record certify/revoke decisions (access-review:decide) |
GET /admin/sessions | list console sessions |
POST /admin/sessions/revoke | revoke console sessions (sessions:revoke) |
GET /admin/audit / GET /admin/audit/verify | read and cryptographically verify the hash-chained audit log |
Least privilege by role. Authority comes from a fine-grained role → grant catalog scoped to global / a tenant / a broker — never from which key a caller holds. Cross-tenant and cross-broker access is impossible by construction. See Authentication.
Sandbox controls — /admin/sandbox/*
In the sandbox only, POST /admin/sandbox/* endpoints drive the simulation — advance the clock, set a quote or NAV, halt a symbol, toggle auto-fill, inject a reconciliation break, or declare a dividend. These are sandbox machine-key (X-Admin-Key) operations, available because the sandbox has no real users or money. See Environments.