# Authentication Rules ## JWT Token Structure (IMMUTABLE) All apps use the same token payload: - `username`, `user_id`, `companies[]`, `permissions[]`, `exp`, `iat`, `type` ## Backend Rules - Use `AuthenticationMiddleware` from `shared/auth/middleware.py` - Use `get_current_user` dependency from `shared/auth/dependencies.py` - Never implement custom auth logic in routers - Rate limiting: 5 req/5 min for /auth/* paths ## Frontend Rules - Use `createAuthStore(apiService)` factory from `shared/frontend/stores/auth.js` - Use `LoginView.vue` component from `shared/frontend/components/` - Store tokens in localStorage: `access_token`, `refresh_token`, `user` - Initialize auth on app startup with `initializeAuth()`