New users register with email and password. After registration, a personal tenant is automatically created for them. Authenticated users receive a JWT access token and a refresh token used for seamless session renewal.
stateDiagram-v2
[*] --> ANONYMOUS: User visits TalkIDE
ANONYMOUS --> REGISTERED: User submits sign-up form
REGISTERED --> ACTIVE: Email verified (MVP: auto-verified)
ACTIVE --> AUTHENTICATED: User logs in (valid credentials)
AUTHENTICATED --> TOKEN_REFRESHED: Access token expires → refresh token used
TOKEN_REFRESHED --> AUTHENTICATED: New access token issued
AUTHENTICATED --> ANONYMOUS: User logs out
AUTHENTICATED --> PASSWORD_RESET_REQUESTED: User requests password reset
PASSWORD_RESET_REQUESTED --> ACTIVE: User sets new password via reset link
States
| State | Description | Transitions |
|---|---|---|
| ANONYMOUS | Unauthenticated visitor | → REGISTERED (sign up) |
| REGISTERED | Account created, awaiting verification | → ACTIVE (auto-verified in MVP) |
| ACTIVE | Verified account, not currently logged in | → AUTHENTICATED (login) |
| AUTHENTICATED | User has a valid session (JWT) | → TOKEN_REFRESHED, → ANONYMOUS (logout) |
| TOKEN_REFRESHED | Access token renewed via refresh token | → AUTHENTICATED |
| PASSWORD_RESET_REQUESTED | Password reset email sent | → ACTIVE (new password set) |
Business Rules
- Email must be unique across all users
- Password minimum 8 characters
- In MVP, email verification is skipped (account is immediately ACTIVE after registration)
- A personal Tenant is automatically created on sign-up (slug derived from email local part)
- Refresh tokens expire after 14 days; access tokens expire after 15 minutes
- Logging out invalidates the refresh token server-side
Was this page helpful?
Thanks for the feedback.