Session
The current user snapshot, as the shell hands it to an app. Read it from platform.session, and
follow later changes via the session.changed event. Everything here is for driving UI; the app’s
backend re-checks identity and authorization on every request and is the real gate.
Properties
Section titled “Properties”authenticated
Section titled “authenticated”authenticated: boolean;Whether a user is signed in. When false, treat the app as logged-out.
email?
Section titled “email?”optional email?: string;The user’s email, when known — the key apps should join their own data on.
isAdmin?
Section titled “isAdmin?”optional isAdmin?: boolean;The single platform-admin gate: drives admin-only app visibility. Distinct from the flat roles below — not one of them.
optional name?: string;The user’s display name, when known.
roles?
Section titled “roles?”optional roles?: string[];The user’s flat roles, delivered in the handshake (refreshed on reconnect). Advisory ONLY:
getRoles() / hasRole() read them for affordances (show/hide). The app backend introspects the
live session and is the sole gate — a tampered value only changes what the client shows or attempts.
optional sub?: string;The identity provider’s stable subject id (e.g. a Google sub); an internal key — prefer email.
subscriptions?
Section titled “subscriptions?”optional subscriptions?: string[];App ids this user may access — visibility, NOT authorization (the backend introspection is the gate).
userId?
Section titled “userId?”optional userId?: string;Stable identifier for the signed-in user, when authenticated.