Royal Glow internal docs · now fully interactive — Steps, API tables, file trees & live status
Royal Glow Docs

Authentication & Roles

Better Auth (Google OAuth) and the six-tier RBAC model.

Authentication & Roles

Better Auth + Google OAuth

Authentication uses Better Auth with Google OAuth as the only sign-in method. Sessions are stored in Neon (HttpOnly, Secure, SameSite=Lax cookies). The auth routes are mounted at /api/auth/[...all].

First sign-in routes a new user to /onboarding to collect phone, DOB, gender, and consents; POST /api/onboarding/complete finalises the profile. UTM and booking context survive the OAuth redirect via sessionStorage.

RBAC — six roles

Roles are hierarchical: a higher role satisfies any lower-role requirement.

RoleLevelTypical access
customer0Own bookings, profile, gems, membership
staff1Own schedule + leave (admin.theroyalglow.in/me/*)
receptionist2Bookings, customers, leads, billing
manager3+ services, offers, staff, schedule, reports
owner4+ users, branches
developer5+ integrations, logs

Enforcing access in API routes

Two helpers guard server routes:

import { requireSession, requireRole } from '@/lib/api/session'

// Any signed-in user
const session = await requireSession()

// Minimum role (throws 403 FORBIDDEN if below)
const session = await requireRole('receptionist')
  • requireSession() throws 401 UNAUTHENTICATED when there is no session.
  • requireRole(minRole) throws 403 FORBIDDEN when the user's role level is below the required minimum.

Each API page in the reference notes the minimum role for every endpoint.

Route → role guidance

Customer endpoints live on theroyalglow.in; admin endpoints live on the admin.theroyalglow.in subdomain at root paths (there is no /api/admin/ segment — the subdomain is the namespace).

Route groupMinimum role
theroyalglow.in/api/bookings, /api/membership, /api/gems, /api/notificationscustomer
admin.theroyalglow.in/api/me/* (own schedule + leave)staff
admin.theroyalglow.in/api/bookings, /api/customers, /api/leads, /api/billing, /api/membershipsreceptionist
admin.theroyalglow.in/api/services, /api/offers, /api/staff, /api/schedule, /api/reportsmanager
admin.theroyalglow.in/api/users, /api/branchesowner
admin.theroyalglow.in/api/integrations, /api/logsdeveloper

Public (no auth) customer endpoints: GET theroyalglow.in/api/services, GET /api/services/[slug], GET /api/availability, POST /api/leads, GET /api/health.

OpenReport an issue

Was this page helpful?

Conventions

Money, dates, layering, and the API response envelope used across the platform.

Data Model

The 38-table Drizzle schema for Royal Glow — conventions, table groupings, enums, and ID formats.

On this page

Authentication & RolesBetter Auth + Google OAuthRBAC — six rolesEnforcing access in API routesRoute → role guidance