Module · UAPS

User Auth & Profile System

Production-grade authentication, roles, and profile management — shipped in minutes, not sprints.

UAPS — Port 8000

What UAPS gives you

Multiple Auth Strategies

Email/password, magic link, and refresh token rotation out of the box. Every strategy is hardened: bcrypt hashing, short-lived JWTs (15 min), long-lived refresh tokens stored in Supabase.

Role-Based Access Control

Three built-in roles — user, manager, admin — with middleware decorators for FastAPI routes. Extend with custom roles in one configuration file.

Row-Level Security

All Supabase tables ship with RLS policies pre-configured. Users can only read and modify their own profiles. Admins have full bypass. Service role keys work server-side only.

Session Management

Built with @supabase/ssr. Server components get the session from cookies; client components subscribe to auth state changes. No flash of unauthenticated content.

Profile System

Extends Supabase auth.users with a profiles table: full name, avatar URL, onboarding status, and role. Avatar uploads go to a dedicated Supabase Storage bucket.

Security Defaults

Rate limiting on all auth endpoints via slowapi. Request IDs on every response for traceability. Structured JSON logs with user_id and request_id correlation.

Install UAPS

terminal
# Scaffold UAPS module only
$ npx kiban@latest init --module uaps

# Run database migrations
$ kiban migrate

# Seed test admin account
$ kiban seed

# Start UAPS backend on port 8000
$ kiban dev --module uaps

✔ UAPS running on http://localhost:8000

Architecture

Kiban_UAPS/
├── backend/               FastAPI (Python 3.12)
│   ├── app/
│   │   ├── auth/          Register, login, magic-link, refresh
│   │   ├── profiles/      CRUD + avatar upload
│   │   ├── rbac/          Role middleware + permission checks
│   │   └── core/          Config, logging, security helpers
│   └── migrations/
│       └── 001_init.sql   profiles table + RLS + enums
├── frontend-web/          Next.js 15 (App Router)
│   ├── app/auth/          Login & register pages
│   └── lib/               useSession, getServerSession
└── package.json           Turborepo workspace root

How to integrate

Run kiban init

The CLI clones the UAPS backend and frontend bindings and writes your .env with SUPABASE_URL, SUPABASE_ANON_KEY, and SUPABASE_JWT_SECRET.

Run migrations

kiban migrate runs 001_init.sql which creates the profiles table, RLS policies, enum types, and storage bucket configuration.

Seed default data

kiban seed creates the admin@kiban.dev test account with admin role so you can explore the full permission model immediately.

Integrate in your frontend

Import useSession() from @kiban/uaps-client for client-side state and getServerSession() for server components and API route guards.

UAPS is included in all plans

Authentication and profiles are the foundation. Every Kiban license — Basic, Pro, and Enterprise — includes UAPS with no seat limits and no monthly active user caps.

View pricingRead docs