Skip to content

Auth Data Model

Seamless Auth is built on a relational model that keeps users, sessions, passkeys, organizations, events, and configuration explicit and inspectable.

This page focuses on the core entities in seamless-auth-api and how they relate.


User -> has many -> Sessions
User -> has many -> Credentials
User -> has many -> Auth Events
User -> has many -> Magic Link Tokens
User -> has many -> OAuth Identities
User -> has many -> TOTP Credentials
User -> has many -> Organization Memberships
Organization -> has many -> Organization Memberships
Session -> may point to -> Active Organization
System -> configured by -> System Config
Bootstrap -> handled by -> Bootstrap Invites

Users represent authenticated identities.

FieldTypeDescription
iduuidUnique user ID
emailstringUnique email
phonestringUnique phone
rolesstring[]Global roles assigned to the user
revokedbooleanWhether auth is disabled
emailVerificationTokenstring | nullIn-progress email verification token
phoneVerificationTokenstring | nullIn-progress phone verification token
emailVerifiedbooleanEmail verification state
phoneVerifiedbooleanPhone verification state
verifiedbooleanFully verified state
challengestring | nullIn-progress auth challenge
challengeContextjson | nullContext for an in-progress challenge
lastLogintimestamp | nullLast successful login

Users have child records for passkeys, sessions, OAuth identities, organization memberships, TOTP credentials, and auth events.


Sessions are first-class records, not just opaque browser state.

FieldTypeDescription
iduuidSession ID
userIduuidOwning user
infraIdstring | nullInfra/session context identifier
organizationIduuid | nullActive organization context for the session
mode'server'Session mode currently stored by the auth API
refreshTokenHashstringStored refresh token hash
refreshTokenLookupstring | nullIndexed refresh-token lookup fingerprint
lastUsedAttimestampLast activity timestamp
expiresAttimestampAbsolute expiration
idleExpiresAttimestampIdle expiration
stepUpVerifiedAttimestamp | nullTime of last fresh step-up verification
stepUpMethodstring | nullStep-up method, such as webauthn or totp
deviceNamestring | nullFriendly device label
userAgentstring | nullRequest device/browser info
ipAddressstring | nullRequest origin
replacedBySessionIduuid | nullRotation link
revokedAttimestamp | nullRevocation time
revokedReasonstring | nullRevocation reason

Refresh tokens are stored as hashes and lookup fingerprints, not as raw refresh tokens.


Credentials store passkeys and related metadata.

FieldTypeDescription
idstringCredential ID
userIduuidOwning user
publicKeybinaryWebAuthn public key
counternumberReplay-protection counter
transportsjsonTransport hints
deviceTypestring | nullCredential device type
backedupbooleanWhether the credential is backed up
prfCapablebooleanWhether registration reported PRF support
friendlyNamestring | nullUser-friendly label
lastUsedAttimestamp | nullLast usage
platformstring | nullPlatform classification
browserstring | nullBrowser classification
deviceInfostring | nullDevice description

PRF output is not stored in credential records. Only PRF capability metadata is stored.


Organizations group users for tenant-style access and active-session context.

FieldTypeDescription
iduuidOrganization ID
namestringDisplay name
slugstringUnique slug
createdByUserIduuid | nullUser who created the organization
metadatajson | nullCaller-defined metadata

Memberships connect users to organizations.

FieldTypeDescription
iduuidMembership ID
organizationIduuidOwning organization
userIduuidMember user
rolesstring[]Roles inside the organization
scopesstring[]Organization-scoped permissions

The database enforces one membership per (organizationId, userId) pair.


OAuth identities link external provider accounts to local users.

FieldTypeDescription
iduuidOAuth identity ID
userIduuidLocal user
providerIdstringProvider config ID, such as google
providerSubjectstringProvider subject/user ID
emailstringEmail from provider profile
profilejsonb | nullRedacted provider profile fields

The auth API enforces uniqueness on (providerId, providerSubject).


TOTP credentials store encrypted authenticator-app secrets.

FieldTypeDescription
iduuidTOTP credential ID
userIduuidOwning user
secretCiphertexttextEncrypted TOTP secret
secretIvstringEncryption IV
secretTagstringEncryption authentication tag
issuerstringTOTP issuer
accountNamestringTOTP account label
enabledbooleanWhether the credential can be used
verifiedAttimestamp | nullEnrollment verification time
lastUsedAttimestamp | nullLast successful use
lastUsedCounternumber | nullReplay prevention counter

Production deployments should provide TOTP_SECRET_ENCRYPTION_KEY.


Magic links are stored as explicit records with request-context hashes.

FieldTypeDescription
iduuidToken ID
user_iduuidAssociated user
token_hashstringHashed magic link token
redirect_urlstring | nullPost-verification target
ip_hashstring | nullRequest IP hash
user_agent_hashstring | nullRequest user-agent hash
expires_attimestampExpiration
used_attimestamp | nullUsage marker

Auth events are the audit trail for the authentication system.

FieldTypeDescription
iduuidEvent ID
user_iduuid | nullAssociated user
typestringEvent type
ip_addressstring | nullOrigin IP
user_agentstring | nullDevice info
metadatajsonb | nullRedacted event context

Events cover registration, login, OTP, magic links, WebAuthn, OAuth, TOTP, admin actions, suspicious requests, and recovery flows.


System config controls auth behavior such as:

  • default_roles
  • available_roles
  • login_methods
  • passkey_login_fallback_enabled
  • oauth_providers
  • lockout_policy
  • access_token_ttl
  • refresh_token_ttl
  • rate_limit
  • delay_after
  • rpid
  • origins

Raw secrets should stay in environment variables or a secret manager, not in system_config.


Bootstrap invites are used for the first admin flow.

FieldTypeDescription
iduuidInvite ID
emailstringTarget email
role'admin'Assigned bootstrap role
tokenHashstringInvite token hash
expiresAttimestampExpiration
consumedAttimestamp | nullUsage marker
createdBystringCreation source
createdIpstring | nullCreation request IP
createdUserAgenttext | nullCreation request user agent
lastSentAttimestamp | nullLast invite send
attemptCountnumberInvite attempts

users.id -> sessions.userId
users.id -> credentials.userId
users.id -> auth_events.user_id
users.id -> magic_link_tokens.user_id
users.id -> oauth_identities.user_id
users.id -> totp_credentials.user_id
users.id -> organization_memberships.user_id
organizations.id -> organization_memberships.organization_id
sessions.organizationId -> organizations.id

  • users carry global roles directly, which keeps baseline authorization explicit
  • organization memberships add tenant-level roles and scopes without hiding the global user model
  • sessions are durable records, which makes revocation, active organization context, and step-up freshness inspectable
  • credentials are first-class objects, which supports passkey management and PRF capability metadata
  • auth events provide an audit trail and feed dashboard metrics
  • system config is explicit instead of hidden inside code

Continue to Sessions.