Users & Roles
SpaceOS uses role-based access control (RBAC) to manage permissions within organizations.
Role Hierarchy
| Role | Capabilities |
|---|---|
| Super Admin | Platform-level access across all organizations |
| Owner | Full control of their organization |
| Admin | Manage spaces, bookings, devices, and users within the organization |
| Member | Create and manage their own bookings |
| Guest | Limited access for one-time bookings |
Authentication Methods
| Method | Use Case | Header |
|---|---|---|
| OTP → JWT | User authentication (admin dashboard, mobile app) | Authorization: Bearer <jwt> |
| API Key | System-level integrations between services | x-api-key: <key> |
| Org API Key | Organization-scoped external integrations | x-org-api-key: <key> |
Permission Model
- Roles define a set of permissions (read, write, delete for each resource type)
- Permissions are checked via guards on each API endpoint
- Org API Keys carry their own permission set, independent of user roles
Next Steps
- Devices & Criticality Tiers — Device classification system
- Authentication Guide — Implementation details