Skip to content

BacMR Backend Documentation

Auth Admin Role

ADR 0001: Auth & Admin via JWT and API Key

Context

We need to distinguish between standard "Student" operations (chat, balance check) and "Admin" operations (curriculum ingestion, scraping sync).

Decision

Use Supabase JWT for all user-facing endpoints.
Extract the role from the JWT user_metadata.
Use a static ADMIN_API_KEY (passed via X-Admin-Key) for the first version of the administrative API to simplify internal automation scripts.

Consequences

Positive: Fast implementation of admin tools; decoupling of admin logic from the main user auth flow.
Negative: Shared secret (ADMIN_API_KEY) must be rotated if leaked. Eventually, we should migrate all admin actions to JWT-based RBAC.