Account Setup & Authentication

Account Setup & Authentication

Carfluence uses FusionAuth as its identity provider, giving you enterprise-grade authentication out of the box.

How Authentication Works

• 1Login: Users authenticate via email/password through FusionAuth
• 2JWT Token: On successful login, a JWT token is issued with user claims (email, name, roles)
• 3API Access: All API requests include the JWT in the Authorization: Bearer header
• 4Token Refresh: Tokens expire after a configurable period; use the refresh endpoint to get new tokens

Multi-Tenant Architecture

Carfluence uses schema-level isolation in PostgreSQL. Each dealer group gets its own database schema, ensuring complete data separation:

• •Your data is never mixed with another organization's data
• •Each schema has its own tables for inventory, integrations, rules, etc.
• •The user_access table maps your FusionAuth user ID to your dealer group schema

User Roles

API Authentication

For programmatic access, you have two options:

Option A: JWT Token (recommended for user sessions)

# Login to get a token
curl -X POST https://app.carfluence.io/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "[email protected]", "password": "your-password"}'

# Use the token
curl https://app.carfluence.io/api/v1/inventory \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..."

Option B: API Key (recommended for integrations)

curl https://app.carfluence.io/api/v1/inventory \
  -H "X-API-Key: cf_live_abc123..."

API keys can be scoped to specific permissions (e.g., inventory:read, dealers:write) and rate-limited per hour.

Security Features

• •Encryption: All data encrypted at rest and in transit (TLS 1.3)
• •Audit Logging: Every API request and security event is logged
• •IP Allowlisting: Restrict API key usage to specific IP ranges
• •Rate Limiting: Configurable per-key rate limits (default: 1000 requests/hour)