# Identity View
This view contains the strategy of how we're handling identity, authentication, and authorisation.
# Principles
Auth0 is the data leader for identity
We want to make sure that we only have a single source of truth for our identity. There are other systems who might require an email, for example, MailChimp. We'll push the contact information from Auth0 to MailChimp.
Replicate the identity data in individual contexts for query purposes
Auth0 has 2 requests per second rate limit for its Management API. This is the API that we're using to query contacts from our backend and it will definitely not scale.
Define the list of permissions per API
Auth0 supports per API permissions definition. If we have an Inventory API, for example, we will create an Inventory API definition in Auth0, and define the list of permissions there.
# Sequence: Unauthenticated API Request
This sequence diagram shows how we secure our API endpoints when no authentication is required, but the resources are still sensitive enough to be protected, therefore requiring the use of captcha.
# Sequence: User Authenticated API Request
This sequence diagram shows how we secure our API endpoint when a user has authenticated themselves.