Authentication & users
Carriyo enforces strict authentication for every entry point. API integrations and Dashboard users each follow a dedicated authentication path, designed for both developer convenience and enterprise security requirements.
Machine authentication
API clients authenticate using OAuth 2.0 client credentials, the recommended mechanism for all server-to-server access. Each tenant provisions a client ID and client secret in the Dashboard and selects the scopes those credentials are authorized for. Carriyo issues short-lived bearer tokens in exchange. Clients obtain a fresh token by calling the token endpoint again, no long-lived secrets are passed on individual API calls.
| Mechanism | Use case |
|---|---|
| OAuth 2.0 client credentials | Server-to-server API access. Recommended. |
| Static API key | Legacy clients. |
Token lifetimes are bounded and returned in every issuance response. For setup, see Get API credentials.
Human authentication
| Mechanism | Availability |
|---|---|
| Email + password | All tenants. |
| SAML 2.0 SSO | Enterprise plans. |
| Multi-factor authentication | Optional per user. |
Password policy
Carriyo enforces password requirements aligned with established identity-security guidance. Commonly breached passwords are rejected at the point of creation. Repeated authentication failures trigger temporary lockouts, limiting exposure to credential-stuffing attacks.
Session policy
Dashboard sessions expire on inactivity and are bounded by an absolute maximum lifetime. Tenants with stricter session requirements can request tighter limits through their account contact.
Role-based access control
Tenants assign Dashboard users to roles. Roles span the full range of access needs, from administrative control to read-only oversight, and Carriyo keeps those boundaries firm. Permissions attach to roles, not directly to users. The same role definitions apply consistently across both the API and the Dashboard.
See Manage user roles for the day-to-day procedure.