Token System
The token system is the access control backbone. Tokens are opaque strings that map to records in D1.
Token Record Schema
Section titled “Token Record Schema”| Field | Type | Description |
|---|---|---|
token_hash | TEXT | SHA-256 hash of the token (primary key) |
name | TEXT | Human-readable label |
role | TEXT | visitor, reviewer, or founder |
scope | TEXT | Comma-separated section keys |
person_id | TEXT | Links to person record (nullable) |
expires_at | TEXT | ISO 8601 expiration timestamp |
single_use | INTEGER | 1 if token is consumed on first claim |
claimed | INTEGER | 1 if single-use token has been claimed |
revoked | INTEGER | 1 if revoked by founder |
created_at | TEXT | Creation timestamp |
Scope Resolution
Section titled “Scope Resolution”Scopes are comma-separated section keys. The worker resolves effective scope by:
- Splitting the scope string
- Checking if the requested section key matches any scope entry
- Checking hierarchical membership via suffix matching