Authentication
Charlie Mac uses Azure AD (Entra ID) for all authentication. SSO is enforced at the platform level via Azure Static Web Apps — no separate login system to maintain.
Video walkthrough
How it works
Calling the API from client code
Once authenticated, the session cookie is sent automatically on same-origin requests. For API calls:
// The auth cookie is sent automatically — no manual token handling needed
const response = await fetch('/api/data');
const data = await response.json();
For calls to external APIs, retrieve the access token from the SWA auth endpoint:
async function getAccessToken(): Promise<string> {
const response = await fetch('/.auth/me');
const { clientPrincipal } = await response.json();
// clientPrincipal contains userId, userRoles, claims
return clientPrincipal?.accessToken ?? '';
}
Checking the current user
type ClientPrincipal = {
identityProvider: string;
userId: string;
userDetails: string; // email address
userRoles: string[]; // e.g. ['authenticated', 'staff', 'engineers']
};
async function getCurrentUser(): Promise<ClientPrincipal | null> {
const response = await fetch('/.auth/me');
const { clientPrincipal } = await response.json();
return clientPrincipal;
}
Logout
// Redirect to SWA logout endpoint — clears the auth cookie
window.location.href = '/.auth/logout';
Role reference
| Role | Assigned to | Can access |
|---|---|---|
anonymous | Everyone | Public pages only |
authenticated | Any logged-in user | General docs |
staff | All employees (via AAD group) | Internal KB |
engineers | Engineering team (via AAD group) | Runbooks, access management |
admin | Doc admins | All areas |
Roles are assigned via the SWA role management API backed by Azure AD group membership.