§ 02.03 — Auth & Permissions
Right people, right access.
Sessions, SSO and role-based access that keeps the right people in — and everything else out. MFA, token lifecycle and RBAC, engineered without loopholes.
access control matrix
BillingUsersContentReportsSettingsAPI keys
Admin
✓
✓
✓
✓
✓
✓
Editor
×
×
✓
✓
×
×
Viewer
×
×
×
✓
×
×
Guest
×
×
×
×
×
×
§ Flow — Login to session
Every step, verified
Credentials, MFA, signed tokens, rotating refresh — a login flow with no shortcuts and a complete audit trail for every authentication event.
auth sequencelive
POST /auth/login→ credentials verified→ MFA challenge issued→ TOTP code validated→ JWT signed (HS256)→ refresh token stored✓ session established
§ Capability — How we secure access
Secure by design
01
Session & SSO
Cookie sessions, JWTs and SAML/OIDC single-sign-on — whichever fits your stack and your compliance requirements.
02
MFA
TOTP, SMS and hardware keys layered in, with recovery codes and bypass flows that are actually auditable.
03
Role-based access
Fine-grained RBAC that lives in the database — not scattered across middleware — so your team can audit it.
04
Token lifecycle
Short-lived access tokens, rotating refresh tokens, silent renewal and secure revocation on logout.
Let's talk security