Skip to content

Identity & roles

Shipping today 7 built-in roles MFA-ready

Secure sign-in for every kind of user.

Email + password with JWT, refresh-token rotation, MFA-ready. RBAC enforced at the route, the API, and the row.

The front door of Edu Flick. Every login, every session, every permission check passes through this layer — and the underlying primitives are flexible enough to mould around your school's existing identity setup.

Login screen

Live login screen — your branding, your school name, your colour palette once we go live.

What we ship today

Today · live
  • Email + password sign-in with JWT-backed sessions.
  • Refresh-token rotation for safe long-lived sessions.
  • Self-service password change. Admin-initiated reset for students & parents.
  • Seven built-in roles: Super Admin, Principal, Teacher, Accountant, HR, Student, Parent.
  • Passwords bcrypt-hashed; never stored in plain text.
  • MFA-ready: TOTP can be enabled per role with a config flag.
  • Brute-force protected with rate limits + lockouts.

Tailored to your school

Mould it
  • Rename or split built-in roles to match your terminology (e.g. Headmaster, Vice Principal, HoD, Coordinator).
  • Add custom roles with bespoke permission sets — scoped to your tenant, audited the same way.
  • Single sign-on with Google Workspace, Microsoft Entra, or your campus IdP.
  • Username-based login for students who don't have email accounts.
  • Session-policy fine tuning — shorter sessions for staff, persistent sessions for parents on mobile.

Where AI takes this

Phase 4 · AI
  • Anomaly-watch on the audit log — surfaces unusual access patterns to the Super Admin.
  • Suggested permission baselines when you add a new role.
  • Natural-language "Who can access what?" queries.

Who uses it

Everyone. The login page is the front door. For the full permissions model, see Roles & access.