Guest and Vendor Access Flows

This document provides end-to-end flow definitions for guest, vendor, planner, admin, and integration access behavior.

3 min read

This document provides end-to-end flow definitions for guest, vendor, planner, admin, and integration access behavior.

Guest invite access

Planner or system creates invitation scope for a guest actor or RSVP unit.
Tov+ issues a guest invite token scoped to the occasion and allowed events.
Guest opens the invite link on {occasion_slug}.tov.plus.
Guest app sends the token to api.tovplus.com for validation/exchange.
Backend validates token state, expiration, revocation, and occasion match.
Backend creates a guest session scoped to the token or returns an equivalent short-lived access token.
Guest app fetches allowed occasion/event/module surfaces using guest_principal.
Each request evaluates token scope, invitation scope, module enablement, and permissions.
Guest can perform low-friction actions such as RSVP, forms, or guest-visible browsing within the granted scope.

Tov+ generates guest-specific QR content through the Publishing capability or invite workflow.
QR encodes or references a scoped guest token.
Guest scans the QR code.
The guest app or mobile browser opens the occasion flow with the QR token.
Backend validates the token and exchanges it for a guest session.
Requests proceed as ordinary guest_principal requests with the same scope restrictions.

Rules:

QR access is not a second auth model.
QR tokens should be short-lived or one-time when the linked action is sensitive.

Guest is already in a valid guest session.
Guest chooses to claim access for continuity.
Guest authenticates through Keycloak.
Tov+ resolves or creates the internal user.
Tov+ verifies that the authenticated user currently possesses valid guest entitlement.
Tov+ creates or activates the user-to-actor link for the claimed guest actor.
Future requests may use user_principal instead of guest_principal.
Guest can now access the same occasion from another device by logging in.

Rules:

Planner or admin creates vendor actor or vendor organization actor in the occasion.
Planner or admin assigns event/module/resource scopes to the vendor actor.
Tov+ issues vendor invite to a specific contact.
Vendor opens the invite flow on vendors.tovplus.com.
Vendor authenticates through Keycloak or creates an authenticated identity there.
Tov+ resolves or creates the internal user.
Tov+ activates the user-to-vendor-actor link.
Vendor app fetches only the occasions, events, modules, and resources granted to that actor.
Each vendor request resolves the vendor actor context and enforces permissions.

Rules:

vendor onboarding may start from an invite token, but durable access is through authenticated user_principal
vendor app must not expose planner-only surfaces even if the same user has planner access elsewhere unless the current occasion/actor context allows it

Planner visits dash.tovplus.com.
Planner authenticates through Keycloak.
Tov+ resolves the internal user and active planner actor link for the selected occasion.
Dashboard fetches accessible occasions and permissions.
Planner selects occasion and event context.
All module and resource actions are evaluated through central permissions.

Rules:

Admin or system registers an integration app in Tov+.
Tov+ issues integration credentials and scoped permissions.
Integration calls api.tovplus.com using key/secret or derived access token.
Backend authenticates the credential and resolves integration_principal.
Backend loads explicit integration scopes.
Each request is authorized against those scopes and the target occasion/event/module/resource context.
All actions are audited to the integration identity and credential id.