Security
JWT and Google Sign-In, role-based access control (RBAC), multi-tenant and multi-company isolation. Every API request validates token, tenant, and permissions.
Authentication
- JWT — Primary. Clients obtain token via login; send
Authorization: Bearer {token} - Google Sign-In — OAuth 2.0; system maps Google identity to internal user
- 401 returned when token missing or invalid
Multi-tenant & multi-company
TenantId from JWT (or subdomain / X-Tenant-Id). All queries filter by tenant_id. Users can be restricted to specific companies/branches; data-level security limits what they see.
Authorization (RBAC)
Fine-grained permissions per endpoint (e.g. api:finance:gl:read, api:finance:payments:approve). Roles group permissions. 403 when user lacks permission.
Security API
GET /api/security/companies
GET /api/security/branches
GET /api/security/users
POST /api/security/users
PUT /api/security/users/{id}
GET /api/security/roles
GET /api/security/permissions