Core entities
- Tenant: billing and governance boundary.
- Project: runtime/workspace boundary inside a tenant.
- User: identity principal.
- Session: authenticated device/browser state.
- Membership: user role bindings at tenant and project levels.
Session model
- Sessions are scoped and traceable.
- Refresh token rotation protects long-lived sessions.
- Membership or policy changes can invalidate stale sessions.
Role model
- Roles are evaluated in tenant/project context.
- Token claims carry effective role context.
- Access decisions should be made server-side per request.
Invalidation triggers
- Membership role changed
- Membership removed
- Security posture change (for example forced logout)
- Tenant/project deactivated
Audit implications
Identity lifecycle events should be logged with actor and context:
- who changed what
- where (tenant/project)
- when
Related docs
- Tenants and projects:
/docs/concepts/tenant-project - OAuth/OIDC security:
/docs/reference/oauth-oidc-security - Incident communication:
/docs/reference/incident-comms