End-User Authentication
By default, only Fascia admins can access the Portal. End-User Authentication lets you open the Portal to your actual users — customers, staff, or anyone who needs to interact with your backend. Each user gets their own account with role-based access controls.
End-User Auth is built into Fascia as a first-class feature. You configure it through an AuthSpec in Chat Studio, and Fascia handles the rest: user registration, login, token management, and role-based filtering.
End-User Auth runs entirely in your GCP project (the Executor). User credentials and tokens never pass through Fascia's servers.
How It Works
Fascia uses a dual authentication model:
| Mode | Who | Login URL | Access |
|---|---|---|---|
| Admin (Fascia) | Workspace owners and admins | portal.fascia.run/login | Full access: Dashboard, all Entities, all Tools |
| End-User (Executor) | Your application's users | portal.fascia.run/w/:workspaceId/login | Role-filtered: only Tools permitted for their role |
Admin auth is handled by Fascia's platform. End-User auth is handled by the Executor running in your GCP project, using the configuration you define in your AuthSpec.
Setting Up AuthSpec
Configure End-User Auth in Chat Studio by describing what you need. Fascia generates an AuthSpec that includes:
Login Methods
Choose one or combine multiple:
- Self-login — Email and password registration. Users create their own accounts with email, display name, and password. Passwords are hashed with bcrypt.
- Social login — OAuth 2.0 providers (Google, Apple, Kakao, Naver, GitHub, etc.). Users authenticate through their existing accounts on these platforms.
- Hybrid — Both self-login and social login. Users can register either way, and accounts are automatically linked when the same email is used.
Roles
Define the roles your application needs. Common examples:
| Role | Typical Access |
|---|---|
admin | All Tools and data management |
staff | Operational Tools, limited data access |
customer | Their own data only, customer-facing Tools |
shop_owner | Business management Tools for their shop |
Each role controls which Tools are visible to that user in the Portal.
Admin Roles
Specify which roles should have full access (see all Tools, including internal/admin ones). Users with non-admin roles only see Tools explicitly allowed for their role.
Deploying with Auth
After configuring your AuthSpec in Chat Studio:
- Review — The AuthSpec appears alongside your Entity and Tool specs
- Deploy — Deploy as usual. Fascia provisions the auth tables (users, tokens, providers) in your GCP Cloud SQL database and configures the Executor's auth endpoints
- Share the login URL — Give your end users the workspace-specific URL:
https://portal.fascia.run/w/<your-workspace-id>/login
Your workspace ID is visible in Chat Studio's workspace settings.
User Registration & Login
Registration
End users visit the login URL and switch to the Register tab:
- Enter email address
- Choose a display name (optional)
- Set a password and confirm it
- Click Register
The system validates:
- Email uniqueness (no duplicate accounts)
- Password strength requirements
- Registration is enabled in your AuthSpec
New users are assigned the default role defined in your AuthSpec.
Login
Returning users enter their email and password on the Login tab. On success, they receive an access token (1 hour) and a refresh token (7 days). The Portal handles token refresh automatically.
Error Handling
Clear error messages appear for common issues:
- Invalid credentials
- Account suspended by admin
- Registration disabled
- Weak password
Role-Based Access
Once logged in, end users see a filtered version of the Portal based on their role:
What End Users See
- Tools page — Only Tools permitted for their role
- Tool execution forms — Same interface as admin, with dynamic input fields and result display
- Sidebar — Shows their email and an "End User" indicator
What End Users Don't See
- Dashboard (entity counts and activity)
- Entity lists and CRUD operations
- Status transitions and entity-action buttons
- Admin-only Tools
Example
Imagine a car rental system with these roles:
| User | Role | Sees |
|---|---|---|
| Office manager | admin | Dashboard + all Entities + all Tools |
| Front desk staff | staff | Check-in Tool, Return Tool, Availability Tool |
| Customer | customer | Book Reservation Tool, My Reservations Tool |
The same Portal app, same deployment — but each user gets exactly the interface they need.
Managing Users
As an admin, you can manage end users through the Management Console:
- View all users — Email, role, account status
- Change roles — Upgrade or downgrade a user's access level
- Suspend accounts — Temporarily block a user from logging in
- Reactivate accounts — Restore suspended users
Security
End-User Auth follows Fascia's security principles:
- Passwords are hashed with bcrypt (cost factor 12+)
- JWT tokens are signed with keys stored in your GCP Secret Manager
- Access tokens expire after 1 hour; refresh tokens after 7 days
- Failed logins are rate-limited (5 attempts per minute per email)
- All auth operations are logged in the audit trail
- Data stays in your GCP project — Fascia's servers never see user credentials
Next Steps
- Entity CRUD Portal — Learn about all Portal features
- Build a Booking System — Tutorial that includes setting up roles and auth
- Architecture: BYOC — Understand where auth runs in your infrastructure