Overview
STD Plus uses JWT Bearer Token authentication. All protected endpoints require a valid token in theAuthorization header.
Roles & Authorization
STD Plus uses a dynamic, permission-based access control system. Roles are fully customizable — admins can create any role with any combination of permissions.How It Works
- Roles are stored in the database and managed via the
/api/rolesendpoints - Each role has a permissions array — a list of permission keys like
orders:view,panes:scan - Every worker is assigned one role (as an ObjectId reference)
- On login, the full role object (with permissions) is returned
- Every API endpoint checks the worker’s permissions before allowing access
System Roles (Defaults)
Three system roles are pre-seeded. They cannot be deleted, but their permissions can be modified.| Role | Slug | Permissions |
|---|---|---|
| Admin | admin | * (wildcard — full access to everything) |
| Manager | manager | All permissions except workers:manage and roles:manage |
| Worker | worker | View-only for most resources, plus claims:create, panes:scan, pane_logs:view, production_logs:create, inventory:move, withdrawals:create |
POST /api/roles.
Permission Keys
Permissions follow theresource:action format. Use GET /api/roles/permissions to fetch the full list programmatically.
| Resource | Available Permissions |
|---|---|
| Workers | workers:view, workers:manage |
| Customers | customers:view, customers:manage |
| Materials | materials:view, materials:manage |
| Inventories | inventory:view, inventory:move, inventory:manage |
| Material Logs | material_logs:view, material_logs:manage |
| Requests | requests:view, requests:manage |
| Orders | orders:view, orders:create, orders:manage |
| Claims | claims:view, claims:create, claims:approve, claims:manage |
| Panes | panes:view, panes:create, panes:scan, panes:manage |
| Pane Logs | pane_logs:view |
| Production Logs | production_logs:view, production_logs:create, production_logs:manage |
| Stations | stations:view, stations:manage |
| Station Templates | station_templates:view, station_templates:manage |
| Sticker Templates | sticker_templates:view, sticker_templates:manage |
| Job Types | job_types:view, job_types:manage |
| Pricing | pricing:view, pricing:manage |
| Notifications | notifications:view, notifications:create, notifications:manage |
| Withdrawals | withdrawals:view, withdrawals:create, withdrawals:manage |
| Roles | roles:view, roles:manage |
:view grants read access (GET). :create grants creation (POST). :manage grants full CRUD (create, update, delete). A role with orders:view and orders:create can list and create orders, but cannot update or delete them.Ownership Checks
Some endpoints enforce ownership for users without the:manage permission:
- Orders — users with
orders:view(but notorders:manage) can only update orders assigned to them - Claims — users with
claims:view(but notclaims:manage) can only update claims they reported - Notifications — users with
notifications:view(but notnotifications:manage) can only update their own notifications
Getting a Token
Send a login request with valid credentials:Using the Token
Include the token in every protected request:Token Details
| Property | Value |
|---|---|
| Algorithm | HS256 |
| Expiration | Configurable via JWT_EXPIRES_IN (default: 7d in src/config/env.js) |
| Payload | { id: "<worker_id>" } |
Error Responses
Missing token (401)
Missing token (401)
Invalid or expired token (401)
Invalid or expired token (401)
Not authorized for this action (403)
Not authorized for this action (403)
Invalid credentials (401)
Invalid credentials (401)