Auth And Tenant Scope
The gateway uses a short-lived access token and a refresh token.
Headers
Authorization: Bearer <access-token>
X-Customer-Id: <customer-uuid>
X-Reseller-Id: <reseller-account-id>X-Customer-Id is mandatory for customer-scoped operations such as vehicles, devices, users, telemetry, reports, and connector administration.
X-Reseller-Id is used by reseller-scoped admin and billing surfaces. During the reseller transition, some workflows select a reseller workspace first and then call customer-scoped operational APIs with X-Customer-Id.
Token Lifecycle
- Access tokens expire after 15 minutes.
- Refresh sessions expire after 30 days.
- Refresh on 401 once, then retry the original request.
- Treat repeated 401 responses as a required re-login.
Common Permission Keys
| Route family | Permission |
|---|---|
| Users | users.read, users.write |
| Roles | roles.read, roles.write |
| Vehicles | vehicles.read, vehicles.write |
| Devices | devices.read, devices.write |
| Connectors | connectors.read, connectors.write |
| Tachograph | tachograph.read, tachograph.manage |
Access is additive across active customer-scoped role assignments.