JWT & Sessions

Token Issuance

Tokens are issued by buildAuthSession() after successful authentication:

const session = await buildAuthSession(actor, {
  centerId: resolvedCenterId,
  authorizedDomains: domainInfo.domains,
  domainRoles: domainInfo.roles,
});

Token Lifecycle

Event	Action
Login	Issue new JWT
Center switch	Reissue with new `centerId`
Token refresh	Reissue with extended expiry
Logout	Invalidate session

Multi-Tenant Session

A single JWT carries the current tenant context. When switching centers:

Verify actor has active membership in target center
Reissue JWT with new centerId and domainRoles
Client refreshes with new token

POST /api/auth/switch-center
Authorization: Bearer <current-token>

{
  "centerId": "center_789"
}

Security Notes

All center access is verified through center_memberships — no direct access
basePrisma usage is audited for cross-center operations
Cron routes require verifyCronSecret() — 39 routes standardized

Getting Started

Architecture

Authentication

Tenant System

AI Agents

Guides

API Reference

JWT & Sessions

JWT & Sessions

Token Issuance

Token Lifecycle

Multi-Tenant Session

Security Notes

Getting Started

Architecture

Authentication

Tenant System

AI Agents

Guides

API Reference

​JWT & Sessions

​Token Issuance

​Token Lifecycle

​Multi-Tenant Session

​Security Notes

JWT & Sessions

Token Issuance

Token Lifecycle

Multi-Tenant Session

Security Notes