Authentication & Authorization
Password policy, session management, and Role-Based Access Control (RBAC).
Authentication Methods
| Method | Use Case | Security Level |
|---|---|---|
| Email + Password | Standard staff login | Baseline |
| Email + Password + MFA | Elevated access | Enhanced |
| SSO (SAML 2.0 / OIDC) | Enterprise integration | Enterprise |
| API Key + Secret | Service-to-service | Programmatic |
| Magic Link | Foster portal, public | Passwordless |
Password Policy
| Minimum length | 12 characters |
| Complexity | 3 of 4: upper, lower, number, special |
| History | Last 12 passwords blocked |
| Expiration | 90 days (configurable) |
| Lockout | 5 failed attempts → 15 min lockout |
| Storage | Argon2id hash |
Session Management
| Session duration | 8 hours (configurable) |
| Idle timeout | 30 minutes (configurable) |
| Concurrent sessions | Allowed (max 5) |
| Session storage | Server-side, encrypted |
| Token rotation | Every 15 minutes |
| Logout | Immediate invalidation |
Role-Based Access Control (RBAC)
| Role | Permissions |
|---|---|
| SUPERADMIN | All permissions + system configuration |
| ADMIN | User management, protocol configuration, reports |
| SUPERVISOR | Override approval, bulk actions (safety), transfers |
| MEDICAL_STAFF | Medical records, controlled substances, prescriptions |
| STAFF | Animal management, intake, outcomes, daily care |
| VOLUNTEER | Limited: observations, walking logs, basic care |
| FOSTER | Foster portal only: assigned animals, updates |
| PUBLIC | Public portal: applications, donations |
API Authentication
# API Key Header
X-API-Key: pk_live_abc123...# Bearer Token (OAuth)
Authorization: Bearer eyJhbGc...# Webhook Signature
X-Pet360-Signature: sha256=...