Detailed description of the authorization actor
Provides a comprehensive explanation of:
This description should be detailed enough for both API consumers to understand the actor's purpose and for the system to properly enforce access controls.
MUST be written in English. Never use other languages.
Allowed user types for this API
Specifies which user types are permitted to access this API.
This is not a permission level or access control actor. Instead, it describes who the user is — their type within the service's domain model. It must correspond 1:1 with how the user is represented in the database.
MUST use camelCase naming convention.
⚠️ Important: Each actor must exactly match a table name defined in
the database schema. This is not merely a convention or example — it is
a strict requirement.
A valid actor must meet the following criteria:
admin and administrator must not exist to describe the same type.Therefore, if a user type cannot be clearly and uniquely distinguished in
the database, It cannot be used as a valid actor here.
Authorization - Authentication and user type information
This field defines how the API authenticates the request and restricts access to specific user types.
✅ Only the
AuthorizationHTTP header is used for authentication. The expected format is:Authorization: Bearer <access_token>
The token must be a bearer token (e.g., JWT or similar), and when parsed, it is guaranteed to include at least the authenticated actor's
idfield. No other headers or cookie-based authentication methods are supported.