Authentication

Overview

All APIs use AWS Cognito for authentication:

User Pool: us-east-1_75Rp4zNBg
JWT validated via JWKS endpoint
Access token required in Authorization: Bearer <token> header

Auth Flow

User logs in via Cognito (web/mobile)
Cognito issues JWT access token
API validates token via JwtStrategy
JwtAuthGuard enforces authentication globally
Additional guards check project/org access

Guards

JwtAuthGuard (Global)

Applied globally - all endpoints require valid JWT unless marked @Public().

ProjectAccessGuard

@UseGuards(JwtAuthGuard, ProjectAccessGuard)
@Controller('projects/:projectId/components')
export class ComponentsController {
  // User must have access to :projectId
}

OrgRolesGuard

@OrgRoles('admin', 'owner')
@UseGuards(JwtAuthGuard, OrgRolesGuard)
@Controller('organizations/:orgId/settings')
export class OrgSettingsController {
  // User must be admin or owner of :orgId
}

Accessing User Info

@Get('me')
getProfile(@CurrentUser() user: AuthUser) {
  // user.userId, user.email, user.groups, user.isPlatformAdmin
}

Overview​

Auth Flow​

Guards​

JwtAuthGuard (Global)​

ProjectAccessGuard​

OrgRolesGuard​

Accessing User Info​

Overview

Auth Flow

Guards

JwtAuthGuard (Global)

ProjectAccessGuard

OrgRolesGuard

Accessing User Info