Authentication
Users authenticate with email and password, which establishes a session. Application requests carry that session; HomecareHQ resolves it to a verified user before doing any work. Requests that aren’t authenticated are rejected before any data is touched.Programmatic API credentials (for server-to-server integrations) are part of the upcoming
public API. Today, access is through an authenticated user session.
Tenancy & isolation
A user belongs to one or more organizations through a membership. Every request acts within exactly one organization, and all data access is constrained to that organization by row-level security in the database.Authorization
Within an organization, what a user can do is governed by permissions tied to their role (owner, admin, manager, member, caregiver). Permissions are checked server-side on every sensitive operation. Examples of the permission families HomecareHQ uses:| Permission family | Governs |
|---|---|
source_document:* | Uploading and reviewing source documents |
connected_data:read | Reading connected-system data in chat and dashboards |
organization:* / membership:* | Managing the organization and its team |
registry_check:* | Running and reading registry checks |
Permissions are enforced by the server regardless of what a client requests — prompts and
client-side checks are never the security boundary.

