#Authentication & Access Guide
Welcome to the AiDial portal authentication and access guide. This guide covers signing in, understanding your permissions, tenant-scoped access, session security, MFA, and API authentication for trusted partner integrations.
#Who Should Read This Guide
- Customers (
client_admin,client_manager,client_staff) — Learn how to sign in, manage your account security, and understand what you can access. - Partners (
partner_admin,partner_user) — Understand how multi-tenant access works and what your partner role allows you to do. - Developers and integration partners — Learn the difference between trusted server-side API access and first-party portal sessions, and understand error responses.
#Current Security Boundaries
- Browser users sign in through the AiDial portal and should not send
X-API-Key. - API keys are for trusted direct server-side integrations.
- Tenant and project scope is enforced server-side with non-enumerating responses for out-of-scope resources.
- Sidebar or navigation visibility is not a security boundary.
#Guide Contents
#Getting Started
- Signing In — How to sign in to the portal, what to expect, and how to troubleshoot common access issues.
#Understanding Your Access
- Roles & Permissions — What customer and partner roles can see and do in the portal, including comparison tables and route-access expectations.
- Multi-Factor Authentication — Which roles require MFA, provider-managed setup, recovery-code reminders, and what to do if you are locked out.
- Tenant Scoping — How data isolation works, the difference between single-tenant (customer) and multi-tenant (partner) access, and how client selection works for partners.
#For Developers
- API Authentication — How direct server-side integrations use API keys, how first-party portal BFF calls use bearer tokens, and why browser code must not send
X-API-Key. - Error Responses — Common authentication and authorisation error codes and what they mean.
#Security
- Session Security — Session expiry, signing out, customer session management, administrator session revocation, and security best practices.
#Quick Reference
| I want to... | Go to... |
|---|---|
| Sign in for the first time | Signing In |
| Understand what I can access | Roles & Permissions |
| Set up two-factor authentication | Multi-Factor Authentication |
| Make a direct server-side API call | API Authentication |
| Understand the portal BFF boundary | API Authentication |
| Understand a 401, 403, or 404 auth error | Error Responses |
| Manage my active sessions | Session Security |