Access

People, invites, and boundary checks

Fetch CSRF tokens, scope to a studio, and audit every invite with a requestId for downstream forensics.

Last health check

Idle — run a check to verify API reachability.

Session & CSRF

Session handshake

Requires valid session cookie; returns header + cookie pair.

No CSRF refresh attempted yet.

People

Invite an employee

Requires membership & permissions; token preview is redacted.

Invite responses (and errors) will appear here with requestId metadata.

API guard

Prevent web-host leakage

Ensures studios/people endpoints stay on the API origin.

No probe run yet.

Alina Reyes

Producer

online

Location: CDMX

Last activity: Channels · now

Studio guard enforced — membership + studio headers are required before any mutate calls.

Mason Cho

Engineer

review

Location: Remote

Last activity: Docs · 4m ago

Studio guard enforced — membership + studio headers are required before any mutate calls.

Priya Narang

Finance

on leave

Location: NYC

Last activity: Exports · yesterday

Studio guard enforced — membership + studio headers are required before any mutate calls.

Audit

Immutable audit trail

Mutations log actor membership, studio, entity, and requestId for cross-service tracing. Keep the headers intact to avoid permission confusion.

  • • Invite creation + acceptance emits audit records.
  • • Studio updates + channel actions carry the originating requestId.
  • • Time entries + approvals are stored with actor membership IDs.

Studio protections

  • Role-scoped permissions are cached but resilient to Redis outages.
  • CSRF requires matching header + cookie + origin; state-changing routes enforce it.
  • Studio guard rejects mismatched studio headers to avoid lateral access.
  • All error payloads are JSON with requestId mirrored in headers.