Authentication

Overview

Tribe Social uses JWT (JSON Web Token) based authentication. All authenticated requests should include the JWT token either as:

• A signed cookie named token
• A header named token
• A cookie named token

Authentication Flow

1. User Authentication

   • Users can authenticate using email/password
   • OTP (One-Time Password) authentication
   • Social provider authentication
   • SSO integration available for enterprise customers

2. Token Management

   • Tokens are valid for 30 days
   • Tokens should be included in all authenticated requests
   • Tokens can be refreshed before expiration

Authentication Levels

Tribe Social supports different authentication levels:

1. Public Access

   • No authentication required
   • Limited to public content and basic platform information

2. User Authentication

   • Required for most API endpoints
   • Access to user-specific content and features
   • Managed via isAuthenticated middleware

3. Creator Access

   • Enhanced privileges for content creators
   • Access to creator-specific features
   • Managed via isAdminOrCreator middleware

4. Admin Access

   • Full platform access
   • Administrative capabilities
   • Managed via isAdmin middleware

Error Handling

Authentication errors return standard HTTP status codes:

• 401 Unauthorized: Missing or invalid token
• 403 Forbidden: Insufficient permissions
• 500 Internal Server Error: Server-side authentication errors

Security Best Practices

1. Token Storage

   • Store tokens securely
   • Clear tokens on logout
   • Never expose tokens in URLs or logs

2. HTTPS

   • All API requests must use HTTPS
   • Insecure HTTP requests are rejected

3. Rate Limiting

   • Authentication attempts are rate-limited
   • Multiple failed attempts may trigger temporary blocks

Next Steps

• User Authentication - Detailed authentication endpoints
• User Management - User CRUD operations
• Push Notifications - Device registration and notifications