Auth & Roles
Roles
| Role | Description |
|---|---|
MASTER | Platform superuser. Cross-organization access. |
ADMIN | Agency administrator. Full access within their org. |
EMPLOYEE | Home care worker. Access to own profile, schedule, forms. |
CLIENT | Care recipient. Access to own profile and documents. |
MARKETER | Referral agent. Can submit and track referrals. |
| Case Manager | External user (physician/provider). No portal account. Accesses specific compliance documents via a one-time email link + OTP challenge. Cannot log in through the normal auth flow. See Compliance Documents. |
Authentication
- Tokens: JWT issued by
dj-rest-auth+djangorestframework-simplejwt. - Access token: short-lived, kept in memory by the SPA.
- Refresh token: longer-lived, stored in an httpOnly cookie.
- ReCaptcha: v3 on public-facing forms (application, referral submission).
Portal Routing by Role
The portals SPA reads the user's role from the decoded JWT and renders the appropriate dashboard layout and navigation. Each role has a distinct set of visible pages — the routing table lives in src/ of the portals repo.
Permissions in the API
DRF permission classes gate endpoints by role. Custom permission classes are defined in novahomecareapi/utils/ and applied at the view level.