Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.cronozen.com/llms.txt

Use this file to discover all available pages before exploring further.

JWT & Sessions

Token Issuance

Tokens are issued by buildAuthSession() after successful authentication: 
const session = await buildAuthSession(actor, {
  centerId: resolvedCenterId,
  authorizedDomains: domainInfo.domains,
  domainRoles: domainInfo.roles,
});

Token Lifecycle

EventAction
LoginIssue new JWT
Center switchReissue with new centerId
Token refreshReissue with extended expiry
LogoutInvalidate session

Multi-Tenant Session

A single JWT carries the current tenant context. When switching centers:
  1. Verify actor has active membership in target center
  2. Reissue JWT with new centerId and domainRoles
  3. Client refreshes with new token
POST /api/auth/switch-center
Authorization: Bearer <current-token>

{
  "centerId": "center_789"
}

Security Notes

  • All center access is verified through center_memberships — no direct access
  • basePrisma usage is audited for cross-center operations
  • Cron routes require verifyCronSecret() — 39 routes standardized