Senior Backend API & Integration Engineer — 24-Hour Paid Trial + 10-Day OpenReal Agent API Build

We are looking for a Senior Backend API and Integration Engineer to build a secure internal API layer between our OpenReal platform and our OpenClaw AI-agent system. This is not a chatbot role, not a frontend role, not a UI or UX role, and not a blockchain-only role. This is a backend, API, and security integration project. Project Context OpenReal is our private registry, compliance workflow, investment request, portfolio, transfer request, issuer and admin review, and audit-log platform. OpenClaw is our internal AI-agent fleet. In Wave 2, three OpenReal agents need controlled API access to OpenReal: 1. or-product 2. or-registry 3. or-demo Main Objective Build a secure internal Agent API inside OpenReal. API namespace: /api/internal/openclaw/v1 The API must allow agents to: - read controlled OpenReal metadata - track investment requests - track transfer cases - read registry and holding summaries where permitted - read audit events where permitted - create internal work items, case notes, and product issues The agents must never be able to: - mutate registry records - approve KYC or KYB - approve investment requests - confirm payments - finalize transfers - send investor messages - access raw identity documents - access bank documents - access wire receipts - use shared admin credentials - access the database directly Timeline Paid trial: 24 hours Main implementation after trial: 10 calendar days Budget Total evaluation and initial implementation budget: USD 500. Preferred structure: - Candidate A paid 24-hour trial: USD 75 - Candidate B paid 24-hour trial: USD 75 - Winner 10-day implementation milestone: USD 350 - Total: USD 500 Alternative if we select one strong candidate: - 24-hour paid trial: USD 100 - 10-day implementation milestone: USD 400 - Total: USD 500 Important Trial Process We will screen candidates first through proposal answers, portfolio, and interview. Only selected candidates may receive a paid 24-hour technical trial. The trial is paid work. It is not unpaid work or a free competition. Trial payment is released only if the written milestone acceptance criteria are met. If the submission is incomplete, broken, or missing required items, we may request revisions through Upwork’s fixed-price milestone review process. 24-Hour Paid Trial Task Build a lightweight secure prototype or clean mock implementation. Trial endpoints: GET /api/internal/openclaw/v1/agent/context GET /api/internal/openclaw/v1/transfer-cases POST /api/internal/openclaw/v1/work-items Trial requirements: - one service account: openclaw-or-registry - JWT or OAuth-style authentication - scope-based access control - unauthorized requests rejected - invalid or expired tokens rejected - mocked or real transfer-case dataset - masked investor and sensitive fields - audit log entry for every request - POST /work-items creates only an internal task or note and does not change transfer case status - OpenAPI or Swagger documentation - Postman collection or automated API test - short technical handover note - endpoints must run in a clean mock environment, staging branch, or local Docker setup that can be tested immediately Because the trial is only 24 hours, we do not expect full production integration. We expect a clean, testable prototype that proves authentication, permissions, masking, audit logging, documentation, and API structure. Trial Acceptance Criteria The 24-hour trial milestone is accepted only if all required items are delivered: 1. GET /agent/context works 2. GET /transfer-cases works 3. POST /work-items works 4. openclaw-or-registry service account exists 5. JWT or OAuth-style authentication is implemented 6. unauthorized requests are rejected 7. invalid or expired tokens are rejected 8. scope-based access control is implemented 9. sensitive investor fields are masked 10. every API request creates an audit log entry 11. POST /work-items creates only an internal task or note 12. transfer case status is not changed by the agent 13. OpenAPI or Swagger documentation is provided 14. Postman collection or automated API test is provided 15. short handover note is provided 16. endpoints can be tested immediately 10-Day Main Implementation The best-performing candidate may continue to the 10-day OpenReal and OpenClaw Agent API implementation. 10-day delivery plan: Day 1: Review existing OpenReal backend structure, API patterns, auth and RBAC, registry, transfer and request data models, and staging setup. Confirm implementation plan and permission matrix. Day 2: Create the internal OpenClaw API namespace. Add INTERNAL_AGENT role family. Add service accounts for openclaw-or-product, openclaw-or-registry, and openclaw-or-demo. Day 3: Implement authentication, JWT or OAuth-style token validation, scope checks, environment separation, and unauthorized or expired token rejection. Day 4: Implement core read endpoints: GET /agent/context GET /investment-requests GET /investment-requests/id GET /transfer-cases GET /transfer-cases/id Day 5: Implement additional read endpoints: GET /transfer-cases/id/timeline GET /portfolio/lots GET /registry/holdings GET /audit/events Day 6: Implement field masking, object-level permission checks, and per-agent access boundaries. Day 7: Implement safe write endpoints: POST /work-items POST /case-notes POST /product-issues These endpoints must create internal notes and tasks only. They must not mutate registry records, approve KYC, confirm payment, finalize transfers, or send messages. Day 8: Implement demo and sandbox access for or-demo: GET /demo/opportunities GET /demo/transfer-cases POST /demo/scenarios Ensure or-demo cannot access production investor data. Day 9: Implement basic event feed: GET /events Supported events: investment_request.created investment_request.status_changed transfer_request.created transfer_case.status_changed document_package.status_changed payment_confirmation.uploaded registry.updated kyc.status_changed audit_event.created Day 10: Final QA, OpenAPI or Swagger docs, Postman collection or automated API tests, staging deployment, security checklist, handover note, and final walkthrough. Expected Full API Scope GET /api/internal/openclaw/v1/agent/context GET /api/internal/openclaw/v1/investment-requests GET /api/internal/openclaw/v1/investment-requests/id GET /api/internal/openclaw/v1/portfolio/lots GET /api/internal/openclaw/v1/registry/holdings GET /api/internal/openclaw/v1/transfer-cases GET /api/internal/openclaw/v1/transfer-cases/id GET /api/internal/openclaw/v1/transfer-cases/id/timeline GET /api/internal/openclaw/v1/audit/events POST /api/internal/openclaw/v1/work-items POST /api/internal/openclaw/v1/case-notes POST /api/internal/openclaw/v1/product-issues GET /api/internal/openclaw/v1/demo/opportunities GET /api/internal/openclaw/v1/demo/transfer-cases POST /api/internal/openclaw/v1/demo/scenarios GET /api/internal/openclaw/v1/events Required Internal Roles INTERNAL_AGENT AGENT_OR_PRODUCT AGENT_OR_REGISTRY AGENT_OR_DEMO Required Service Accounts openclaw-or-product openclaw-or-registry openclaw-or-demo Each service account must have separate permissions. No shared admin login and no shared production API key. Required Skills - Senior backend API development - REST API design - API security - OAuth2, JWT, and service accounts - RBAC and ABAC permissions - OpenAPI or Swagger - Postman or automated API testing - Webhooks or event feeds - PostgreSQL or similar relational database - Audit logging - Field-level data masking - Secure handling of PII - Staging and production environment discipline Nice to Have - Financial platform experience - KYC and KYB workflow experience - Registry or cap-table system experience - Private investment platform experience - AI-agent tool integration experience - Supabase or PostgreSQL RLS experience - Node.js, NestJS, or Express experience - Python or FastAPI experience if relevant Who Should Not Apply Please do not apply if you are only a frontend developer, UI or UX designer, chatbot builder, prompt engineer, blockchain-only developer, smart-contract-only developer, or junior developer without API security experience. This project requires backend architecture, API security, permissions, field masking, audit logs, and controlled system access. Product Boundary OpenReal Current Mode is a controlled registry and workflow platform. It must not behave like a marketplace, exchange, broker, custodian, trading venue, wallet platform, order book, or public token sale platform. Use safe platform language: - Investment Request - Request Transfer - Transfer Case - Opportunity Registry - Digital ownership registry - Account - Holdings - Pending Payment Confirmation Avoid: - buy - sell - trade - marketplace - exchange - order book - wallet - settlement - liquidity - tokenized shares - guaranteed return - guaranteed liquidity Screening Questions Please answer these in your proposal: 1. Start your proposal with this exact sentence: I understand this is a backend API and security integration project, not an AI chatbot project. 2. Can you complete the 24-hour paid trial task? 3. Can you complete the main implementation in 10 calendar days if selected? 4. Have you built machine-to-machine APIs using OAuth2, JWT, or service accounts before? Give one example. 5. How would you prevent an internal AI agent from accessing raw investor documents, passports, Emirates IDs, bank details, or wire receipts? 6. How would you design separate scopes for or-product, or-registry, and or-demo? 7. What is the difference between endpoint-level permission, object-level permission, and field-level permission? 8. How would you audit log every API request? 9. What would your data masking approach be? 10. What backend stack are you strongest in? 11. Have you worked on financial, investment, registry, KYC, KYB, or compliance workflow systems before? Proposal Instruction Please do not send a generic proposal. In your first message, include: - your relevant backend and API security experience - your approach to the 24-hour trial - your preferred authentication method - your availability to start immediately - confirmation that you can deliver within 10 calendar days - your fixed price for the 24-hour trial - examples of similar APIs or integrations you built - whether you can provide OpenAPI docs and Postman or API tests