Documentation
Powered by

# Authentication

The Exit WeWeb Portal uses Supabase Authentication with JWT tokens and Row Level Security (RLS).

# Authentication Flow

# 1. Login 

POST https://edknwrcztqwhskjpoxta.supabase.co/auth/v1/token?grant_type=password
Content-Type: application/json
apikey: YOUR_ANON_KEY

{
  "email": "user@example.com",
  "password": "password123"
}

Response:

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "bearer",
  "expires_in": 3600,
  "refresh_token": "refresh_token_here",
  "user": {
    "id": "uuid",
    "email": "user@example.com",
    "role": "authenticated"
  }
}

# 2. Refresh Token 

POST https://edknwrcztqwhskjpoxta.supabase.co/auth/v1/token?grant_type=refresh_token
Content-Type: application/json
apikey: YOUR_ANON_KEY

{
  "refresh_token": "your_refresh_token"
}

# 3. Get Current User 

GET https://edknwrcztqwhskjpoxta.supabase.co/auth/v1/user
Authorization: Bearer YOUR_ACCESS_TOKEN
apikey: YOUR_ANON_KEY

# User Roles

The system implements three user roles:

# 1. Super Admin (super_admin)

  • Full system access
  • Bypasses all RLS policies
  • Can manage all users, buildings, and inspections
  • Can access system configuration

# 2. Client Admin (client_admin)

  • Manages users within their client organization
  • Full access to their client's buildings and inspections
  • Can assign buildings/inspections to client managers
  • Cannot access other clients' data

# 3. Client Manager (client_manager)

  • View-only access to assigned buildings
  • View-only access to assigned inspections
  • Cannot modify any data
  • Cannot manage users

# API Key Types

# Anonymous Key

  • Used for authentication endpoints
  • Limited access based on RLS policies
  • Required in all API requests

# Service Role Key

  • Bypasses RLS policies
  • Used only for administrative tasks
  • Should never be exposed to clients

# Security Functions

# Get User Role 

SELECT get_user_role(auth.uid());

# Check Building Access 

SELECT check_building_access_v2(building_id, auth.uid());

# Check Inspection Access 

SELECT check_inspection_access(inspection_id, auth.uid());

# Headers for Authenticated Requests 

apikey: YOUR_ANON_KEY
Authorization: Bearer YOUR_ACCESS_TOKEN
Content-Type: application/json

© 2025 Exit Inc. All rights reserved.