InterConnectby NAS

One platform. Every branded card.

The engineered core for card programs: provider-agnostic issuance, KYC/KYB, a real double-entry ledger, and passkey-grade security — all behind one API.

Talk to the teamSee the architecture →

What it is

InterConnect is the card-issuing platform engineered by NAS. It handles issuance, onboarding, money movement, and security as one API-first system — so a product can ship cards without building the infrastructure underneath.

Capabilities

The technical building blocks

Issuance, ledger, identity, and security — engineered as composable, provider-agnostic components.

Provider-agnostic issuance

Issue crypto-funded cards through pluggable adapters. The card layer supports multiple CaaS providers, swappable per deployment — no provider lock-in.

Double-entry ledger core

An append-only, balanced double-entry ledger is the canonical record of every balance and movement — not a mutable balance field.

Custody-agnostic money movement

The same ledger backs both non-custodial and merchant-of-record models. Custody is a pluggable layer, not a hard dependency.

Passkey / WebAuthn auth

Phishing-resistant passkeys, server-side step-up on sensitive operations, and device binding — enforced server-side.

KYC / KYB verification

Document and biometric face verification for individuals and businesses, with compliance trails and deferred cardholder creation.

Encryption & PII protection

Encryption at rest with blind-index lookup, so equality-queryable PII never sits in plaintext. Full audit trails throughout.

API-first architecture

One versioned API drives every surface; identity, comms, OAuth, and card providers sit behind clean, swappable adapters.

Web · Admin · Mobile

React/Next SSR web, a Next.js admin console, and a Flutter mobile app — three clients, one API contract.

Architecture

How the system is built

An API-first core with a double-entry ledger at its center, providers behind adapters, and security enforced server-side.

01

API-first core

A Spring Boot / Java 21 service on PostgreSQL and Redis exposes one versioned API. All business logic — issuance, money movement, onboarding — lives server-side; clients hold no authority.

02

Ledger as source of truth

Money movement is ledger-first: every transaction is a balanced, append-only double-entry — tamper-evident and auditable. Balances are derived, never overwritten.

03

Pluggable adapters

Card providers (CaaS), custody models, identity (KYC/KYB), comms, and OAuth all sit behind clean interfaces — swap or add a provider without touching the core.

04

Server-enforced security

Auth, step-up, fail-closed authorization, and encryption-at-rest are enforced at the API. Every surface — web, admin, mobile — inherits the same guarantees.

Security & compliance

Security built into the platform, not bolted on

Defense-in-depth, enforced server-side at every layer — not a client-side veneer. The posture below was hardened across a four-surface security audit and is applied wherever identity and money move.

  • Passkeys / WebAuthn — phishing-resistant, no shared secrets
  • Server-side step-up (recent-auth) on sensitive operations
  • Device binding for high-risk actions
  • Identity-only JWTs — authorities resolved server-side, never in the token
  • Fail-closed authorization enforced at the API layer
  • Encryption at rest; blind-index keeps queryable PII out of plaintext
  • Append-only double-entry ledger — tamper-evident money record
  • KYC / KYB with document + biometric verification
  • OIDC nonce replay protection on OAuth sign-in
  • TLS certificate pinning on mobile (leaf + intermediate backup)
  • Rate limiting & throttling on authentication
  • Hardened HTTP — CSP, security headers, sanitized error responses
  • Secrets in a managed store; keyless CI via workload identity federation
  • Full audit trails across every surface

Surfaces

One API contract. Three clients.

Web

React / Next.js server-rendered app consuming the core API directly.

Admin console

Next.js operations console — onboarding review, money-movement oversight, role-based access.

Mobile

Flutter cardholder app with passkeys and TLS certificate pinning.

Every client talks to the same versioned API — the same server-enforced rules apply everywhere.

Build on InterConnect.

Talk to the team about integrating issuance, ledger, identity, and security through one API.

Talk to the teamExplore nas.cards →