Owner: Robert Taylor (Eng) · Department: Engineering · Status: Live · Version: 1.0
Effective Date: 2026-06-13 · Last Reviewed: 2026-06-13 · Next Review Date: 2026-09-13
Source of Truth: code (FastAPI backend) · Maturity: 4 (Operational)
Auth0 with per-surface audiences; application-layer tenant scoping; an 8-role vendor permission model.
User (customers) + VendorUser (vendor staff).org_id → Vendor.auth0_org_id.rbac_matrix.py.admin_bypass TO postgres covers the app role (§2.7).Architecture index · Internal Approvals SOP · Home
Distilled from docs/audits/backend-truth-audit-2026-06-13.md and portal-maturity-audit-2026-06-13.md.