Define what each user type can see and do. Example: a Host can create listings, but cannot manage other users.

Highest access level. Can change global settings, manage admins, and access full audit logs.

Runs day-to-day platform operations: approve listings, handle disputes, manage content.

Creates and manages listings, prices, and availability; communicates with guests.

Finds listings, books time/dates, pays, and leaves reviews after completion.

Assists users, resolves issues, and escalates problems when needed.

The app hides features and blocks API actions based on role (same rules on frontend + backend).

Standard login. Users sign in with email + password. Applies to all client apps.

Faster login using social accounts. Can be enabled/disabled per region/client decision.

User confirms ownership of email address before using the platform fully.

“Forgot password” flow sends a secure link to set a new password.

Controls how long users stay logged in and when to force re-login.

User (or Admin) can see active sessions and log out from a specific device.

Audit trail for security and support: when/where logins happened.

Passwords are never stored in plain text; the database stores secure hashes only.

Short-lived token used to call APIs without sending passwords each time.

Keeps users signed in securely by renewing access tokens and invalidating old refresh tokens.

Blocks repeated failed logins to prevent guessing attacks.