Overview
The Twigz API uses Clerk for authentication integrated with Convex for secure, scalable user management. This system supports multiple authentication methods and provides role-based access control for customers, store owners, and administrators.Authentication Flow
1
User Registration/Login
Users authenticate through Clerk using email, phone, or social providers
2
JWT Token Generation
Clerk generates a secure JWT token for the authenticated user
3
Convex Integration
Token is automatically validated by Convex for API access
4
Role-based Access
API functions check user roles and permissions automatically
Setup Authentication
Frontend Setup (React)
Backend Setup (Convex)
User Roles & Permissions
The system supports three main user roles:Customer
Permissions: Place orders, manage cart, view own data
Access: Customer functions, public store data
Access: Customer functions, public store data
Store Owner
Permissions: Manage store, products, orders, settings
Access: Store functions, own store data, customer orders
Access: Store functions, own store data, customer orders
Admin
Permissions: Platform management, store approval, analytics
Access: All functions, system-wide data
Access: All functions, system-wide data
Protected API Calls
Authentication Patterns
Role-based Component Access
User Registration Flow
Error Handling
Unauthenticated
Unauthenticated
Status Code:
401Insufficient permissions
Insufficient permissions
Status Code:
403Invalid token
Invalid token
Status Code:
401Account suspended
Account suspended
Status Code:
403Security Best Practices
Token Security
Never expose secret keys in client-side code. Use environment variables for all sensitive configuration.
Role Validation
Always validate user roles on both client and server side for security in depth.
Session Management
Implement proper session timeout and refresh mechanisms for long-running applications.
Audit Logging
Log all authentication events and permission changes for security monitoring.
All API functions automatically validate authentication and permissions. You don’t need to manually check authentication in most cases.
