Skip to main content

Authentication & Access Control

Overview

Whoxa CRM uses JWT-based authentication with separate access and refresh tokens. There are two auth domains: User (business owners and agents) and Admin (super admin).

Registration Flow

Steps: Signup form → OTP verification → Account activated → Business Onboarding wizard (5 steps: Business Details → Hours → Location → Social → Catalogue) → WABA Connection → Dashboard.

Docusaurus logo

Login Flow

Steps: Enter email + password (or phone OTP) → Server returns access token + refresh token → Frontend stores tokens → All requests are authenticated automatically.

Docusaurus logo

Supported Login Methods

MethodNotes
Email + PasswordStandard credential login
Phone OTPSMS OTP verification
Google OAuthSocial login via Google
Forgot Password3-step reset flow via OTP

Token Handling

TokenPurposeExpiry
Access TokenAuthenticate every API requestShort-lived (minutes/hours)
Refresh TokenObtain new access token without re-loginLong-lived

When the access token expires, the system automatically fetches a new one using the refresh token and retries the original request — no manual re-login required.

Agent Authentication

Agents log in with the same credentials as business users. On WhatsApp routes, the system automatically maps the agent to the correct business owner's account so agents can handle conversations without needing direct WABA credentials.

Admin Authentication

Super admin uses a separate login flow with its own access and refresh tokens.

Role-Based Access Control

RoleBehaviour
Business OwnerFull access to all features
AgentAccess to conversations and messaging only
Super AdminFull access to admin panel across all tenants

Subscription Limit Enforcement

Before creating agents, automations, templates, or conversations, the system checks the active subscription plan and compares current usage against the plan limit. If the limit is reached, the action is blocked until the plan is upgraded.

OTP Resend

On the OTP screen, click Resend OTP to receive a new code. Rate-limited to prevent abuse.

Security Notes

  • Blocked users are rejected on every request.
  • Deleted users are rejected by the auth system.
  • Demo mode blocks all data-changing actions on admin routes.
  • Socket connections use a separate token-based auth that registers the session in real-time for live presence tracking.