Skip to main content

RBAC

App-wide roles

Built-in roles: super_admin, admin, user. Use @RequireAppRoles(AppRole.Admin) (or SuperAdmin) with AppRoleGuard on admin routes. Bootstrap super admin:
EMAIL=admin@example.com pnpm run bootstrap:super-admin

Organization roles

Built-in org roles: owner, admin, member, viewer. Organizations may define custom roles in organization_role with permission strings (for example org:view, billing:read). Assign via member.role using the custom role name.

Validate-session payload

GET /api/validate-session returns:
  • user, session, orgMemberRole
  • permissions — app-level from user.role
  • orgPermissions — org-level for the active org (custom role or built-in defaults)
Use these arrays for fine-grained UI and API checks in SPAs and services.

Cache services

ServiceUse
RateLimitCacheServiceLogin and OTP rate limits
OtpCooldownCacheServiceOTP send cooldown
SessionCacheServiceSession lookup / invalidation
ChallengeTokenCacheServiceOne-time challenge tokens
All keys are prefixed (for example fluide-auth:rate:login:ip).