Namespace KadicAuth.Api.Controllers
Classes
- PlatformAdminsController
Platform-admin membership administration. Deliberately isolated:
- Not exposed in Swagger (
[ApiExplorerSettings(IgnoreApi = true)]). - Every endpoint gated by RequirePlatformAdminAttribute which returns 404 to unauthorized callers (so they cannot even learn this controller exists).
- Does not use the normal
Permissions.Auth.*policy system. Platform admins are a parallel, first-class concept — on purpose. - Grants and revokes are audited inside IPlatformAdminService.
Bootstrap of the very first platform admin happens via PlatformAdminBootstrap at startup; this controller cannot bootstrap because it requires an existing platform admin to call it.
- Not exposed in Swagger (
- TenantSuperAdminController
Tenant-super-admin membership administration.
- Gated by
AUTH_MANAGE_TENANT_SUPER_ADMINSpermission policy at the class level — only existing tenant super admins (or platform admins) can call these endpoints. - Does not use the normal role assignment flow. Tenant super admins are a parallel, first-class concept — on purpose.
- Grants and revokes are audited inside ITenantSuperAdminService.
- Gated by