Skip to content

ADR 0001: Auth & Admin via JWT and API Key

Context

We need to distinguish between standard "Student" operations (chat, balance check) and "Admin" operations (curriculum ingestion, scraping sync).

Decision

  1. Use Supabase JWT for all user-facing endpoints.
  2. Extract the role from the JWT user_metadata (and later app_metadata).
  3. We previously used a static ADMIN_API_KEY, but it has been completely removed in favor of JWT-based RBAC.

Consequences

  • Positive: JWT-based RBAC is more secure and integrates cleanly with our auth stack.
  • Negative: None, the shared secret was successfully phased out.

Back to Index