Generated Assets Reference

Auth Service Generated Assets

Comprehensive reference for all automatically generated assets in the auth service, including data objects, Business APIs, REST routes, Kafka topics, and database utility functions.

The auth service is automatically generated when you configure the Authentication module in your Mindbricks project. This service provides user management, authentication, authorization, and multi-tenancy capabilities.

Automatic Data Objects

The auth service automatically includes the following data objects:

1. `user` Data Object

The user data object is the core entity for user management. It is always present in the auth service.

Naming Convention:

Data Object Name: user
Model Name: User (PascalCase)
Service Reference: auth:user (when referenced from other services)

System-Owned Properties:

Property Name	Type	Required	Description
`id`	UUID	Yes	Unique identifier for the user
`email`	String	Yes	User's email address (unique, used for login)
`password`	String	Yes	Hashed password (never stored in plain text)
`emailVerified`	Boolean	Yes	Whether email has been verified
`name`	String	Conditional	First name (when `userNameType` is `"asNamePair"`)
`surname`	String	Conditional	Last name (when `userNameType` is `"asNamePair"`)
`fullname`	String	Conditional	Full name (when `userNameType` is `"asFullname"`)
`avatar`	String	No	URL to user's avatar image
`roleId`	Any/Array	Conditional	User's role(s) (when RBAC is active)
`mobile`	String	Conditional	Mobile phone number (when `userMobileIsActive` is true)
`mobileVerified`	Boolean	Conditional	Whether mobile is verified (when `userMobileIsActive` is true)
`{tenantName}Id`	UUID	Conditional	Tenant ID (when multi-tenancy is active, e.g., `clientId`, `storeId`)

Custom Properties: Architects can add custom properties via ProjectAuthentication.userProperties array. These properties follow standard DataProperty pattern definitions.

Initial Data:

Super Admin User: Automatically created on deployment with credentials defined in LoginDefUserSettings.superAdminEmail and LoginDefUserSettings.superAdminPassword

2. `userGroup` Data Object (Conditional)

The userGroup data object is generated when userGroupsActive is set to true in LoginDefUserSettings.

Naming Convention:

Data Object Name: userGroup
Model Name: UserGroup (PascalCase)
Service Reference: auth:userGroup

System-Owned Properties:

Property Name	Type	Required	Description
`id`	UUID	Yes	Unique identifier for the group
`groupName`	String	Yes	Name of the user group
`avatar`	String	No	URL to group's avatar image
`{tenantName}Id`	UUID	Conditional	Tenant ID (when `userGroupsInTenantLevel` is true)

3. `userGroupMember` Data Object (Conditional)

The userGroupMember data object is generated when userGroupsActive is set to true. It manages the many-to-many relationship between users and groups.

Naming Convention:

Data Object Name: userGroupMember
Model Name: UserGroupMember (PascalCase)
Service Reference: auth:userGroupMember

System-Owned Properties:

Property Name	Type	Required	Description
`id`	UUID	Yes	Unique identifier for the membership record
`groupId`	UUID	Yes	Reference to `userGroup.id`
`userId`	UUID	Yes	Reference to `user.id`
`ownerId`	UUID	Yes	ID of admin who created the membership (auto-populated from session)
`{tenantName}Id`	UUID	Conditional	Tenant ID (when `userGroupsInTenantLevel` is true)

4. ROLES System Object

Roles in Mindbricks are not stored as data objects but as a system object (constant/enum) that defines available role names and their values. This ROLES object is always present in the auth service, regardless of whether RBAC is active.

System Roles (Always Available):

Single-Tenant Projects:

superAdmin — Super administrator with full system access
admin — Administrator with elevated permissions
user — Standard user role

Multi-Tenant (SaaS) Projects:

superAdmin — Super administrator at SaaS level
saasAdmin — SaaS-level administrator
saasUser — SaaS-level user
tenantOwner — Owner of a tenant
tenantAdmin — Administrator within a tenant
tenantUser — Standard user within a tenant

Custom Roles (When RBAC is Active):

When rbacIsActive is true, architects can define additional custom roles via AccessControl.roleSettings.configuration.rolesObject array. Each role is defined with:

name — Display name (used in UIs and documentation)
value — Role value stored in user.roleId and session

Example Custom Roles Configuration:

{
  "authentication": {
    "accessControl": {
      "roleSettings": {
        "rbacIsActive": true,
        "configuration": {
          "rolesObject": [
            { "name": "Manager", "value": "manager" },
            { "name": "Editor", "value": "editor" },
            { "name": "Viewer", "value": "viewer" }
          ]
        }
      }
    }
  }
}

Usage in Business Logic:

Role names (both system and custom) are assets that should be referenced in authorization business logic:

In MScript expressions: this.session.roleId === "admin"
In Business API auth options: requiredRole: "admin"
In permission checks: PermissionCheckAction with role-based conditions
In access control rules: Role-based where clauses and filters

Note: The user.roleId property stores the role value (not the role name). When usersHaveMultipleRoles is enabled, roleId becomes an array of role values.

5. `givenPermission` Data Object (Conditional)

The givenPermission data object is generated when Permission-Based Access Control (PBAC) is active (pbacIsActive is true). This data object stores permission assignments — it records which permissions are granted to roles, user groups, users, or specific objects.

Naming Convention:

Data Object Name: givenPermission
Model Name: GivenPermission (PascalCase)
Service Reference: auth:givenPermission

System-Owned Properties:

Property Name	Type	Required	Description
`id`	UUID	Yes	Unique identifier for the permission assignment record
`permissionName`	String	Yes	Reference to the named permission. Can be formatted as: `"groupName.permissionName"` (specific permission), `"permissionName"` (permission without group), or `"groupName.*"` (all permissions in a group)
`roleId`	String	No	Role name to which the permission is assigned (for role-based permissions)
`subjectUserId`	String	No	User ID to whom the permission is assigned (for user-based permissions)
`subjectUserGroupId`	String	No	User group ID to which the permission is assigned (for group-based permissions)
`objectId`	String	No	Object ID for which the permission is given (for object-based permissions/OBAC)
`canDo`	Boolean	Yes	Whether the permission is active. Default: `true`. Can be set to `false` to explicitly deny a permission (overrides more general positive permissions)
`{tenantName}Id`	UUID	Conditional	Tenant ID (when multi-tenancy is active)

Note: Permissions themselves are hardcoded/defined in the PBAC configuration via PermissionGroups in AccessControl.permissionSettings.configuration.permissionGroups. The givenPermission data object only stores assignments of these predefined permissions to roles, users, groups, or objects.

6. `tenant` Data Object (Conditional)

The tenant data object is generated when multi-tenancy is active (useMultiTenantFeature is true).

Naming Convention:

Data Object Name: {tenantName} (e.g., client, store, workspace)
Model Name: {TenantName} (PascalCase, e.g., Client, Store, Workspace)
Service Reference: auth:{tenantName}

System-Owned Properties:

Property Name	Type	Required	Description
`id`	UUID	Yes	Unique identifier for the tenant
`codename`	String	Yes	Unique codename for the tenant (used in URLs, tokens)
`fullname`	String	Yes	Display name of the tenant
`avatar`	String	No	URL to tenant's avatar image

Custom Properties: Architects can add custom properties via ProjectAuthentication.tenantProperties array.

Initial Data:

Root Tenant: Automatically created with codename "root" for SaaS-level operations

Automatic Business APIs and REST Routes

Mindbricks automatically generates Business APIs for the auth service data objects. The REST routes are generated based on the API name and crudType, following RESTful conventions.

For detailed route generation rules, see the Introduction document.

User Data Object APIs

Business API Name	CRUD Type	REST Route	HTTP Method	Description	Auth Requirements
`getUser`	`get`	`/auth-api/v1/users/:userId`	GET	Get user profile information (admin or self)	Login required, ownership check or admin roles
`updateProfile`	`update`	`/auth-api/v1/profile/:userId`	PATCH	User updates their own profile	Login required, ownership check (superAdmin can update anyone)
`updateUser`	`update`	`/auth-api/v1/users/:userId`	PATCH	Admin updates user profile	Login required, admin roles (prevents updating higher roles)
`createUser`	`create`	`/auth-api/v1/users`	POST	Admin creates a new user manually	Login required, admin roles
`registerUser`	`create`	`/auth-api/v1/registeruser`	POST	Public user registration (single-tenant only)	Public (if `userRegisterIsPublic` is true and not multi-tenant)
`register{TenantName}Owner`	`create`	`/auth-api/v1/register{tenantName}owner`	POST	Public registration as tenant owner (multi-tenant only)	Public, creates both user and tenant
`register{TenantName}User`	`create`	`/auth-api/v1/register{tenantName}user`	POST	Public registration to existing tenant (multi-tenant only)	Public, creates user with `tenantUser` role
`archiveProfile`	`delete`	`/auth-api/v1/archiveprofile/:userId`	DELETE	User archives their own profile	Login required, ownership check (prevents SuperAdmin deletion)
`deleteUser`	`delete`	`/auth-api/v1/users/:userId`	DELETE	Admin deletes user profile	Login required, admin roles (prevents SuperAdmin deletion)
`listUsers`	`list`	`/auth-api/v1/users`	GET	Admin lists users (paginated, cached)	Login required, admin roles
`searchUsers`	`list`	`/auth-api/v1/searchusers`	GET	Admin searches users by email/fullname	Login required, admin roles, requires `keyword` query param, uses search filter
`updateUserRole`	`update`	`/auth-api/v1/userrole/:userId`	PATCH	Admin updates user role	Login required, admin roles (prevents assigning higher roles), custom `roleId` parameter
`updateUserPassword`	`update`	`/auth-api/v1/userpassword/:userId`	PATCH	User updates their own password	Login required, ownership check (requires `oldPassword` and `newPassword` parameters)
`updateUserPasswordByAdmin`	`update`	`/auth-api/v1/userpasswordbyadmin/:userId`	PATCH	Admin updates any user's password	Login required, admin roles (prevents updating higher roles), custom `password` parameter
`getBriefUser`	`get`	`/auth-api/v1/briefuser/:userId`	GET	Public brief user information	Public, returns only `id`, `name`/`fullname`, `avatar` (via selectClause)

Note:

Replace {TenantName} with the actual tenant name (e.g., Client, Store, Workspace)
registerUser is only generated when userRegisterIsPublic is true and multi-tenancy is disabled
register{TenantName}Owner and register{TenantName}User are only generated when multi-tenancy is active
All user APIs have gRPC controllers enabled

UserGroup Data Object APIs (if `userGroupsActive` is true)

Business API Name	CRUD Type	REST Route	HTTP Method	Description	Auth Requirements
`createUserGroup`	`create`	`/auth-api/v1/usergroups`	POST	Admin creates a new user group	Login required, admin roles (superAdmin always allowed)
`updateUserGroup`	`update`	`/auth-api/v1/usergroups/:userGroupId`	PATCH	Admin updates user group	Login required, ownership check, admin roles
`deleteUserGroup`	`delete`	`/auth-api/v1/usergroups/:userGroupId`	DELETE	Admin deletes user group	Login required, ownership check, admin roles
`getUserGroup`	`get`	`/auth-api/v1/usergroups/:userGroupId`	GET	Get user group information	Public (no login required)
`listUserGroups`	`list`	`/auth-api/v1/usergroups`	GET	List all user groups	Public (no login required), sorted by `groupName`

UserGroupMember Data Object APIs (if `userGroupsActive` is true)

Business API Name	CRUD Type	REST Route	HTTP Method	Description	Auth Requirements
`createUserGroupMember`	`create`	`/auth-api/v1/usergroupmembers`	POST	Admin adds user to group	Login required, ownership check, admin roles
`deleteUserGroupMember`	`delete`	`/auth-api/v1/usergroupmembers/:userGroupMemberId`	DELETE	Admin removes user from group	Login required, ownership check, admin roles
`getUserGroupMember`	`get`	`/auth-api/v1/usergroupmembers/:userGroupMemberId`	GET	Get user group member information	Public (no login required)
`listUserGroupMembers`	`list`	`/auth-api/v1/listusergroupmembers/:groupId`	GET	List members of a group (filtered by `groupId`)	Public (no login required), includes joined user data

GivenPermission Data Object APIs (if `pbacIsActive` is true)

Business API Name	CRUD Type	REST Route	HTTP Method	Description	Auth Requirements
`createGivenPermission`	`create`	`/auth-api/v1/givenpermissions`	POST	Admin creates permission assignment (general)	Login required, admin roles
`createRolePermission`	`create`	`/auth-api/v1/rolepermission`	POST	Admin assigns permission to a role	Login required, admin roles (superAdmin always allowed)
`createUserPermission`	`create`	`/auth-api/v1/userpermission`	POST	Admin assigns permission to a user	Login required, admin roles (superAdmin always allowed)
`createGroupPermission`	`create`	`/auth-api/v1/grouppermission`	POST	Admin assigns permission to a user group	Login required, admin roles (superAdmin always allowed)
`createPermissionForRoleAndGroup`	`create`	`/auth-api/v1/permissionforroleandgroup`	POST	Admin assigns permission to role+group combination	Login required, admin roles (superAdmin always allowed)
`createObjectPermission`	`create`	`/auth-api/v1/objectpermission`	POST	Admin assigns permission to user for specific object	Login required, admin roles (superAdmin always allowed)
`createObjectPermissionForGroup`	`create`	`/auth-api/v1/objectpermissionforgroup`	POST	Admin assigns permission to group for specific object	Login required, admin roles (superAdmin always allowed)
`createObjectPermissionForRole`	`create`	`/auth-api/v1/objectpermissionforrole`	POST	Admin assigns permission to role for specific object	Login required, admin roles (superAdmin always allowed)
`createObjectPermissionForRoleAndGroup`	`create`	`/auth-api/v1/objectpermissionforroleandgroup`	POST	Admin assigns permission to role+group for specific object	Login required, admin roles (superAdmin always allowed)
`updateGivenPermission`	`update`	`/auth-api/v1/givenpermissions/:givenPermissionId`	PATCH	Admin updates permission assignment	Login required, admin roles (superAdmin always allowed)
`deleteGivenPermission`	`delete`	`/auth-api/v1/givenpermissions/:givenPermissionId`	DELETE	Admin deletes permission assignment	Login required, admin roles
`getGivenPermission`	`get`	`/auth-api/v1/givenpermissions/:givenPermissionId`	GET	Get permission assignment information	Public (no login required)
`listGivenPermissions`	`list`	`/auth-api/v1/givenpermissions`	GET	List all permission assignments	Public (no login required), sorted by name

Tenant Data Object APIs (if multi-tenancy is active)

Business API Name	CRUD Type	REST Route	HTTP Method	Description	Auth Requirements
`create{TenantName}`	`create`	`/auth-api/v1/{tenantName}s`	POST	SaaS admin creates tenant manually	Login required, SaaS-level, superAdmin/saasAdmin only
`get{TenantName}`	`get`	`/auth-api/v1/{tenantName}s/:{tenantName}Id`	GET	Admin gets tenant information	Login required, SaaS-level, ownership check, admin roles
`getBrief{TenantName}`	`get`	`/auth-api/v1/brief{tenantName}/:{tenantName}Id`	GET	Public brief tenant information	Public, returns only `id`, `name`, `codename`, `fullname`, `avatar`
`get{TenantName}ByCodename`	`get`	`/auth-api/v1/{tenantName}bycodename/:codename`	GET	Public get tenant by codename	Public, custom route path (not standard `/auth-api/v1/{tenantName}s/:id`)
`listRegistered{TenantName}s`	`list`	`/auth-api/v1/registered{tenantName}s`	GET	SaaS users list registered tenants	Login required, SaaS-level, saas roles (not paginated)
`listBrief{TenantName}s`	`list`	`/auth-api/v1/brief{tenantName}s`	GET	Public list brief tenant information	Public, returns only `name`, `codename`, `fullname`, `avatar` (not paginated)
`update{TenantName}`	`update`	`/auth-api/v1/{tenantName}s/:{tenantName}Id`	PATCH	Admin updates tenant	Login required, ownership check, admin roles
`delete{TenantName}`	`delete`	`/auth-api/v1/{tenantName}s/:{tenantName}Id`	DELETE	Admin deletes tenant	Login required, ownership check, admin roles

Note: Replace {TenantName} with the actual tenant name (e.g., Client, Store, Workspace). The route uses the pluralized form (e.g., /auth/clients, /auth/stores).

Auth Service Additional Routes

The auth service includes additional authentication and session management routes beyond the common session routes. These are mounted at /auth-api (without version).

Route	HTTP Method	Description	Auth Requirements
`/login`	GET	Get login page HTML	Public
`/login`	POST	User login (creates session, returns JWT token)	Public
`/relogin`	GET	Refresh/renew existing session	Login required (returns 401 if no valid session)
`/realtimetoken`	GET	Get realtime event token for WebSocket connections	Login required
`/getusersessions`	GET	Get all active sessions for a user	Login required
`/getuserhistory`	GET	Get session history for a user	Login required
`/deleteusersession/:sessionId`	DELETE	Delete a specific user session	Login required
`/deleteallsessions`	DELETE	Delete all sessions for a user	Login required
`/logout`	POST	Logout current user (invalidates session)	Login required

Query Parameters:

/getusersessions — Optional userId query parameter (defaults to current user)
/getuserhistory — Optional userId query parameter (defaults to current user)
/deleteusersession/:sessionId — Optional userId query parameter (defaults to current user)
/deleteallsessions — Optional userId query parameter (defaults to current user)

Path Parameters:

/deleteusersession/:sessionId — The session ID to delete

Request Body (POST /login):

{
  "username": "user@example.com",  // or "email"
  "password": "userpassword"
}

Response (POST /login):

Returns session object with JWT token and user information
Sets HTTP-only cookie with access token
May include cookieError if cookie setting fails

For common session routes available in all services, see General Service Assets.

Automatic Verification Service Routes

Mindbricks automatically generates verification service routes when the corresponding verification features are activated in the VerificationServices configuration. These routes are mounted at /auth-api/verification-services (without version prefix) and are only active when their respective isActive flags are set to true in the pattern design.

Note: All verification routes are system routes and therefore are not versioned. The /verification-services router is mounted to /auth-api, so the full route paths are /auth-api/verification-services/{service}/{action}.

Email Verification Routes

Activation Condition: VerificationServices.emailVerification.emailVerificationIsActive must be true

Route	HTTP Method	Description	Auth Requirements
`/auth-api/verification-services/email-verification/start`	POST	Starts email verification by generating and sending a secret code to the user's email	Public
`/auth-api/verification-services/email-verification/complete`	POST	Completes email verification using the received code	Public

Request Body (/start):

{
  "email": "user@example.com"
}

Request Body (/complete):

{
  "email": "user@example.com",
  "secretCode": "123456"
}

Response (/start):

Returns codeIndex, timeStamp, date, expireTime, verificationType
In test mode: also returns secretCode and userId

Response (/complete):

Returns status: "OK", isVerified: true, email
In test mode: also returns userId

Mobile Verification Routes

Activation Condition: VerificationServices.mobileVerification.mobileVerificationIsActive must be true

Route	HTTP Method	Description	Auth Requirements
`/auth-api/verification-services/mobile-verification/start`	POST	Starts mobile verification by generating and sending a secret code to the user's mobile number	Public
`/auth-api/verification-services/mobile-verification/complete`	POST	Completes mobile verification using the received code	Public

Request Body (/start):

{
  "email": "user@example.com"
}

Request Body (/complete):

{
  "email": "user@example.com",
  "secretCode": "123456"
}

Response (/start):

Returns codeIndex, timeStamp, date, expireTime, verificationType, masked mobile
In test mode: also returns secretCode and userId

Response (/complete):

Returns status: "OK", isVerified: true, email
In test mode: also returns userId and mobile

Email 2-Factor Authentication Routes

Activation Condition: VerificationServices.email2Factor.email2FactorIsActive must be true

Route	HTTP Method	Description	Auth Requirements
`/auth-api/verification-services/email-2factor-verification/start`	POST	Starts email-based 2FA by generating and sending a secret code	Login required (session context needed)
`/auth-api/verification-services/email-2factor-verification/complete`	POST	Completes email 2FA verification using the received code	Login required

Request Body (/start):

{
  "userId": "user-uuid",
  "sessionId": "session-uuid",
  "reason": "login",
  "client": "web"
}

Request Body (/complete):

{
  "userId": "user-uuid",
  "sessionId": "session-uuid",
  "secretCode": "123456"
}

Response (/start):

Returns status: "OK", sessionId, userId, codeIndex, timeStamp, date, expireTime, verificationType
In test mode: also returns secretCode

Response (/complete):

Returns the updated session object with sessionNeedsEmail2FA: false

Mobile 2-Factor Authentication Routes

Activation Condition: VerificationServices.mobile2Factor.mobile2FactorIsActive must be true

Route	HTTP Method	Description	Auth Requirements
`/auth-api/verification-services/mobile-2factor-verification/start`	POST	Starts mobile-based 2FA by generating and sending a secret code to the user's mobile	Login required (session context needed, requires mobile to be verified)
`/auth-api/verification-services/mobile-2factor-verification/complete`	POST	Completes mobile 2FA verification using the received code	Login required

Request Body (/start):

{
  "userId": "user-uuid",
  "sessionId": "session-uuid",
  "reason": "login",
  "client": "web"
}

Request Body (/complete):

{
  "userId": "user-uuid",
  "sessionId": "session-uuid",
  "secretCode": "123456"
}

Response (/start):

Returns status: "OK", sessionId, userId, codeIndex, timeStamp, date, expireTime, verificationType
In test mode: also returns secretCode

Response (/complete):

Returns the updated session object with sessionNeedsMobile2FA: false

Password Reset by Email Routes

Activation Condition: VerificationServices.passwordResetByEmail.passwordResetByEmailIsActive must be true

Route	HTTP Method	Description	Auth Requirements
`/auth-api/verification-services/password-reset-by-email/start`	POST	Initiates password reset by sending a verification code to the user's email	Public
`/auth-api/verification-services/password-reset-by-email/complete`	POST	Completes password reset by verifying the code and setting a new password	Public

Request Body (/start):

{
  "email": "user@example.com"
}

Request Body (/complete):

{
  "email": "user@example.com",
  "secretCode": "123456",
  "password": "newPassword123"
}

Response (/start):

Returns status: "OK", codeIndex, timeStamp, date, expireTime, verificationType
In test mode: also returns secretCode and userId

Response (/complete):

Returns status: "OK", isVerified: true, email
In test mode: also returns userId
Automatically sets emailVerified: true on the user

Password Reset by Mobile Routes

Activation Condition: VerificationServices.passwordResetByMobile.passwordResetByMobileIsActive must be true

Route	HTTP Method	Description	Auth Requirements
`/auth-api/verification-services/password-reset-by-mobile/start`	POST	Initiates password reset by sending a verification code to the user's mobile number	Public
`/auth-api/verification-services/password-reset-by-mobile/complete`	POST	Completes password reset by verifying the code and setting a new password	Public

Request Body (/start):

{
  "email": "user@example.com"
}

Request Body (/complete):

{
  "email": "user@example.com",
  "secretCode": "123456",
  "password": "newPassword123"
}

Response (/start):

Returns status: "OK", codeIndex, timeStamp, masked mobile, date, expireTime, verificationType
In test mode: also returns secretCode and userId

Response (/complete):

Returns status: "OK", isVerified: true, mobile
In test mode: also returns userId
Automatically sets mobileVerified: true on the user

Important Notes:

All verification routes are rate-limited (typically 60 seconds between requests)
Verification codes expire based on the expireTimeWindow configuration
In test mode (VerificationSettings.verificationMode: "testMode"), secret codes are returned in responses for development purposes
In live mode (VerificationSettings.verificationMode: "liveMode"), secret codes are only sent via email/SMS
Each verification service publishes Kafka events on start and complete actions (see Kafka Topics section below)

Generated Kafka Topics

Database Event Topics

For each data object in the auth service, Kafka topics are automatically generated for database-level events:

User Data Object Topics (DB Events)

Event Type	Topic Name Pattern	Triggered When	Message Structure
`created`	`{projectCodeName}-auth-service-dbevent-user-created`	User is created	`{ user: {...userData} }`
`updated`	`{projectCodeName}-auth-service-dbevent-user-updated`	User is updated	`{ user: {...userData} }`
`deleted`	`{projectCodeName}-auth-service-dbevent-user-deleted`	User is deleted	`{ user: {...userData} }`

Example: If project code name is myproject, the topics would be:

myproject-auth-service-dbevent-user-created
myproject-auth-service-dbevent-user-updated
myproject-auth-service-dbevent-user-deleted

UserGroup Data Object Topics (DB Events, if `userGroupsActive` is true)

Event Type	Topic Name Pattern	Triggered When
`created`	`{projectCodeName}-auth-service-dbevent-usergroup-created`	User group is created
`updated`	`{projectCodeName}-auth-service-dbevent-usergroup-updated`	User group is updated
`deleted`	`{projectCodeName}-auth-service-dbevent-usergroup-deleted`	User group is deleted

UserGroupMember Data Object Topics (DB Events, if `userGroupsActive` is true)

Event Type	Topic Name Pattern	Triggered When
`created`	`{projectCodeName}-auth-service-dbevent-usergroupmember-created`	User added to group
`updated`	`{projectCodeName}-auth-service-dbevent-usergroupmember-updated`	Group membership updated
`deleted`	`{projectCodeName}-auth-service-dbevent-usergroupmember-deleted`	User removed from group

GivenPermission Data Object Topics (DB Events, if `pbacIsActive` is true)

Event Type	Topic Name Pattern	Triggered When
`created`	`{projectCodeName}-auth-service-dbevent-givenpermission-created`	Permission assignment is created
`updated`	`{projectCodeName}-auth-service-dbevent-givenpermission-updated`	Permission assignment is updated
`deleted`	`{projectCodeName}-auth-service-dbevent-givenpermission-deleted`	Permission assignment is deleted

Tenant Data Object Topics (DB Events, if multi-tenancy is active)

Event Type	Topic Name Pattern	Triggered When
`created`	`{projectCodeName}-auth-service-dbevent-{tenantName}-created`	Tenant is created
`updated`	`{projectCodeName}-auth-service-dbevent-{tenantName}-updated`	Tenant is updated
`deleted`	`{projectCodeName}-auth-service-dbevent-{tenantName}-deleted`	Tenant is deleted

Note: Replace {tenantName} with the actual tenant name (e.g., client, store, workspace).

Business API Event Topics (if `raiseApiEvent` is true)

Business APIs that have raiseApiEvent set to true (default) publish events to topics following the pattern: {projectCodeName}-auth-service-{resource}-{actionPassiveForm}

Examples:

login API → {projectCodeName}-auth-service-user-logged-in (if resource is "user")
registerUser API → {projectCodeName}-auth-service-user-registered (if resource is "user")
updateUserRole API → {projectCodeName}-auth-service-userrole-updated (if resource is "userRole")

Note: The exact topic name depends on the API's resource name and action passive form. Not all Business APIs necessarily publish events (depends on raiseApiEvent setting).

Verification Service Event Topics

When verification services are active, they automatically publish Kafka events on start and complete actions. These events are published using the ServicePublisher and include the verification data, session (when available), and request ID. These topics follow the pattern: {projectCodeName}-auth-service-{verificationType}-{action}

Event Publishing Details:

Start Events: Published immediately after a verification process is initiated (when /start route is called successfully)
Complete Events: Published immediately after a verification process is successfully completed (when /complete route is called successfully and verification code matches)
Session Attachment: Session object is automatically attached to the Kafka message when available (for authenticated routes like 2FA)
Message Structure: Each event includes the full verification data object with user information, timestamps, and verification metadata

Email Verification Topics (if `emailVerificationIsActive` is true)

Event	Topic Name Pattern	Triggered When	Message Structure
`start`	`{projectCodeName}-auth-service-email-verification-start`	Email verification process is initiated	`{ userId, email, codeIndex, timeStamp, date, expireTime, verificationType, user: {...userData} }`
`complete`	`{projectCodeName}-auth-service-email-verification-complete`	Email verification is successfully completed	`{ userId, email, isVerified: true, user: {...userData} }`

Mobile Verification Topics (if `mobileVerificationIsActive` is true)

Event	Topic Name Pattern	Triggered When	Message Structure
`start`	`{projectCodeName}-auth-service-mobile-verification-start`	Mobile verification process is initiated	`{ userId, mobile, codeIndex, timeStamp, date, expireTime, verificationType, user: {...userData} }`
`complete`	`{projectCodeName}-auth-service-mobile-verification-complete`	Mobile verification is successfully completed	`{ userId, mobile, isVerified: true, user: {...userData} }`

Email 2FA Topics (if `email2FactorIsActive` is true)

Event	Topic Name Pattern	Triggered When	Message Structure
`start`	`{projectCodeName}-auth-service-email-2FA-start`	Email 2FA process is initiated	`{ userId, sessionId, email, reason, client, codeIndex, timeStamp, date, expireTime, verificationType, user: {...userData} }`
`complete`	`{projectCodeName}-auth-service-email-2FA-complete`	Email 2FA is successfully completed	`{ userId, sessionId, email, isVerified: true, user: {...userData} }`

Mobile 2FA Topics (if `mobile2FactorIsActive` is true)

Event	Topic Name Pattern	Triggered When	Message Structure
`start`	`{projectCodeName}-auth-service-mobile-2FA-start`	Mobile 2FA process is initiated	`{ userId, sessionId, mobile, reason, client, codeIndex, timeStamp, date, expireTime, verificationType, user: {...userData} }`
`complete`	`{projectCodeName}-auth-service-mobile-2FA-complete`	Mobile 2FA is successfully completed	`{ userId, sessionId, mobile, isVerified: true, user: {...userData} }`

Password Reset by Email Topics (if `passwordResetByEmailIsActive` is true)

Event	Topic Name Pattern	Triggered When	Message Structure
`start`	`{projectCodeName}-auth-service-password-reset-by-email-start`	Password reset by email is initiated	`{ userId, email, codeIndex, timeStamp, date, expireTime, verificationType, user: {...userData} }`
`complete`	`{projectCodeName}-auth-service-password-reset-by-email-complete`	Password reset by email is successfully completed	`{ userId, email, isVerified: true, user: {...userData} }`

Password Reset by Mobile Topics (if `passwordResetByMobileIsActive` is true)

Event	Topic Name Pattern	Triggered When	Message Structure
`start`	`{projectCodeName}-auth-service-password-reset-by-mobile-start`	Password reset by mobile is initiated	`{ userId, mobile, codeIndex, timeStamp, date, expireTime, verificationType, user: {...userData} }`
`complete`	`{projectCodeName}-auth-service-password-reset-by-mobile-complete`	Password reset by mobile is successfully completed	`{ userId, mobile, isVerified: true, user: {...userData} }`

Note: Replace {projectCodeName} with your actual project code name. These topics are only created when the corresponding verification service is activated in the VerificationServices configuration.

Database Utility Functions

For each data object in the auth service, Mindbricks generates database utility functions in the dbLayer module. These follow the standard naming convention:

Function Pattern: {operation}{ModelName}

User Data Object Functions

const {
  createUser,
  createBulkUser,
  getUserById,
  getUserAggById,
  getUserListByQuery,
  getUserByQuery,
  getUserStatsByQuery,
  getIdListOfUserByField,
  updateUserById,
  updateUserByIdList,
  updateUserByQuery,
  deleteUserById,
  deleteUserByQuery
} = require("dbLayer");

UserGroup Data Object Functions (if `userGroupsActive` is true)

const {
  createUserGroup,
  createBulkUserGroup,
  getUserGroupById,
  getUserGroupAggById,
  getUserGroupListByQuery,
  getUserGroupByQuery,
  getUserGroupStatsByQuery,
  getIdListOfUserGroupByField,
  updateUserGroupById,
  updateUserGroupByIdList,
  updateUserGroupByQuery,
  deleteUserGroupById,
  deleteUserGroupByQuery
} = require("dbLayer");

UserGroupMember Data Object Functions (if `userGroupsActive` is true)

const {
  createUserGroupMember,
  createBulkUserGroupMember,
  getUserGroupMemberById,
  getUserGroupMemberAggById,
  getUserGroupMemberListByQuery,
  getUserGroupMemberByQuery,
  getUserGroupMemberStatsByQuery,
  getIdListOfUserGroupMemberByField,
  updateUserGroupMemberById,
  updateUserGroupMemberByIdList,
  updateUserGroupMemberByQuery,
  deleteUserGroupMemberById,
  deleteUserGroupMemberByQuery
} = require("dbLayer");

GivenPermission Data Object Functions (if `pbacIsActive` is true)

const {
  createGivenPermission,
  createBulkGivenPermission,
  getGivenPermissionById,
  getGivenPermissionAggById,
  getGivenPermissionListByQuery,
  getGivenPermissionByQuery,
  getGivenPermissionStatsByQuery,
  getIdListOfGivenPermissionByField,
  updateGivenPermissionById,
  updateGivenPermissionByIdList,
  updateGivenPermissionByQuery,
  deleteGivenPermissionById,
  deleteGivenPermissionByQuery
} = require("dbLayer");

Tenant Data Object Functions (if multi-tenancy is active)

Similar functions are generated for the tenant data object (e.g., createClient, getClientById, etc., where Client is the tenant name).

Note: There are no database utility functions for roles, as roles are system constants, not data objects.

For detailed documentation on all database utility functions, see the Database Utility Functions guide.

Automatically Populated Initial Data

Super Admin User

On deployment, Mindbricks automatically creates a Super Admin user with:

Email: Value from LoginDefUserSettings.superAdminEmail
Password: Value from LoginDefUserSettings.superAdminPassword
Role: superAdmin (system role)
Email Verified: true
Full Access: Complete system access across all services and tenants

Root Tenant (Multi-Tenant Only)

When multi-tenancy is active, a root tenant is automatically created:

Codename: "root"
Fullname: "Root" (or as configured)
Purpose: SaaS-level operations and global administration

Introduction — Naming conventions and general patterns
General Service Assets — Common assets for all services
Database Utility Functions — Detailed function documentation

Was this page helpful?

Built with Documentation.AI

Last updated Dec 29, 2025