FastFollow is multi-tenant by design. Every API request is scoped to a tenant, a user, and a role — with fine-grained permissions on top. This page covers session tokens, API tokens, OAuth, and the RBAC model.
Three supported ways to authenticate
Used by the FastFollow web app. Short-lived JWT access tokens stored in memory + long-lived refresh tokens in httpOnly cookies. Automatic rotation.
For interactive users in a browser
Long-lived bearer tokens generated from /settings → API Tokens. Scoped to a specific tenant and role. Use for backend automations, cron jobs, scripts.
For machine clients and integrations
Sign in with Google for SSO. Creates a session on first login; subsequent logins re-use the session model above.
For human users who prefer SSO
Generate a token, then authenticate every request with it
curl https://app.fastfollow.ai/api/contacts \
-H "Authorization: Bearer ff_live_•••" \
-H "Content-Type: application/json"Tokens prefixed with ff_live_ grant full API access with the scoped role. Treat them like passwords — store in a secret manager, never commit to source control, rotate at least every 90 days.
Three token types with different TTLs and storage rules
| Token | TTL | Where it lives | Purpose |
|---|---|---|---|
| Access token | 15 minutes | In-memory (browser) or Authorization header (server) | Authenticate individual API requests |
| Refresh token | 7 days, rotates on every use | httpOnly Secure cookie (browser only) | Mint new access tokens without re-authenticating |
| API token | Until manually revoked | You store it — never logged or echoed back from the API | Long-running automations and integrations |
Five roles with inherited permissions, scoped to a single tenant
ownerFull access. Can manage billing, members, and all tenant settings.
adminTenant administration. Manage integrations, users, and team settings — cannot change billing or transfer ownership.
sales_managerTeam-level visibility. Read all team members’ pipelines, follow-ups, and rooms.
sales_repIndividual contributor. Read and write own pipeline, follow-ups, and rooms. Cannot access teammates’ data.
viewerRead-only across visible data. Useful for stakeholders and observers.
| Permission | owner | admin | manager | rep | viewer |
|---|---|---|---|---|---|
| contacts:read | |||||
| contacts:write | |||||
| followups:read | |||||
| followups:write | |||||
| followups:approve | |||||
| rooms:read | |||||
| rooms:publish | |||||
| integrations:manage | |||||
| users:invite | |||||
| billing:manage | |||||
| tenant:transfer |
Every authenticated request carries a tenant ID derived from the user's session or API token. Every database query is automatically scoped to that tenant — there is no API path that allows cross-tenant reads or writes.
If you operate multiple FastFollow tenants (e.g. one per customer in a reseller model), you must generate a separate API token for each. Tokens cannot be impersonated across tenants.
JWT claims structure
{
"sub": "usr_01H...",
"email": "user@example.com",
"tenantId": "ten_01H...",
"role": "sales_manager",
"permissions": [
"contacts:read",
"contacts:write",
"followups:approve"
],
"iat": 1714540800,
"exp": 1714541700
}Returned headers: X-RateLimit-Limit, X-RateLimit-Remaining, Retry-After
Authenticated API token
600 requests / minute, burst to 1,000
Browser session
1,200 requests / minute per user
Unauthenticated (public room access)
60 requests / minute per IP
Auth endpoints (sign-in, signup)
20 attempts / 15 minutes per IP
Exceeding the limit returns HTTP 429 with a Retry-After header indicating seconds until the window resets.
Recommendations for handling FastFollow tokens
Generate a new token, deploy it, delete the old one. FastFollow lets you keep two active tokens during the rotation window.
Store tokens in AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault, or 1Password — never in .env files committed to git.
If your CI bot only reads contacts, use a viewer-role token. Avoid creating owner-role tokens for any automation.
The audit log at /admin/health surfaces every API token used and its rolling request rate. Investigate any unexpected spikes.
If a token is exposed, revoke it from Settings → API Tokens. Revocation is instant and global.
Enterprise tenants can pin API tokens to specific IP CIDR ranges. Contact support to enable.