System Overview

Last Updated: March 1, 2026

What is Herald?

Herald is Today's Carolinian's centralized Identity Provider (IdP) that manages authentication and user identity across all TC applications. It implements Single Sign-On (SSO) allowing users to log in once and access multiple applications without re-authenticating.

Core Responsibilities

1. Authentication

• Verify user credentials (email/password)
• Issue secure session tokens (via BetterAuth)
• Manage session lifecycle (creation, refresh, revocation)
• Handle password resets and email verification with auto-login
• Support first-login password change flow

2. Authorization (ABAC)

• Store user positions and associated permissions
• Enforce position-based access control for user management
• Provide dashboard access to all authenticated users
• Protect user management routes based on 6 specific positions

3. User Management

• Create and manage user accounts (restricted to 6 positions)