axion is the identity and access system powering every Jamtable tenant. Multi-tenant. Multi-domain. Multi-provider. Sign in with a work Google account, Microsoft, Apple ID, or a one-click email link — all from the same secure infrastructure.
axion handles the full identity lifecycle. Whether your team uses Google Workspace or your retail customers prefer a one-click email link, the flow is the same from the platform's perspective — and completely invisible to them.
Every Jamtable tenant runs under its own domain — your DMS at dms.yourbrand.com, your shop at shop.yourbrand.com. axion resolves the tenant context from the domain before the login page even renders. No configuration needed per deployment.
Depending on the tenant configuration, the user sees the sign-in methods available to them. Enterprise staff see “Sign in with Google” for their Workspace account. Retail customers see a password form or a one-click email link. These can be mixed within the same tenant — staff get SSO, customers get email OTP.
For tenants using Google Workspace, the sign-in flow is handled entirely by Google Cloud. Here is what the user sees, step by step:
jane@yourbrand.com). If they are already signed into Chrome or their browser with that account, Google may skip the password prompt entirely.
HttpOnly cookie — never in localStorage.
Your organisation doesn't need a special Jamtable account — your existing Google Workspace identity is the account. If your business already uses Google Workspace (Gmail, Drive, Meet), your staff sign in with the same email and password they use every day. No separate credentials to manage, no password resets to Jamtable support, no account provisioning step.
After authentication, axion maps the user to a role defined by the tenant administrator — store manager, service writer, finance, customer. The JWT carries a compact representation of their permissions. Every API request on the Jamtable platform validates this token at the edge before the request reaches application code.
Sessions are short-lived by design. axion automatically refreshes a valid session in the background during the last portion of its lifetime — users never experience a forced logout mid-task. When a session genuinely expires (tab left open overnight, account revoked), the next request redirects cleanly to the sign-in screen.
If your team already uses Google Workspace, there is nothing new to learn. axion treats your Google identity as the source of truth.
For teams already using Google — Gmail, Drive, Meet, Docs
Navigate to your dealership's DMS or shop URL. The sign-in page shows your organisation's available methods. For Google Workspace tenants, this includes a “Sign in with Google” button prominently displayed.
Clicking the button opens a Google-hosted page — notice the URL is accounts.google.com, not Jamtable. Your password is entered directly on Google's servers. Jamtable never sees it. If you're already signed into your work account in the browser, Google may show a simple account picker instead.
On your very first sign-in, Google asks you to confirm that axion (the Jamtable authentication service) can read your name, email address, and profile photo. That is all that is ever requested — no access to your Gmail, no access to Google Drive, no contacts. This consent screen appears only once per user.
axion receives the confirmation from Google, verifies it cryptographically, looks up your role and permissions, and redirects you to your personalised dashboard. The whole process takes 2–4 seconds. Every subsequent sign-in from the same browser is faster — often a single click.
Every tenant's users, sessions, and secrets are completely isolated. A bug in tenant A cannot expose tenant B's data.
Tokens expire quickly. axion refreshes them silently in the background. Revocations take effect on the next request, not at next login.
All credential comparisons use constant-time algorithms, eliminating timing-based side-channel attacks on password verification.
Session tokens are never accessible to JavaScript. XSS attacks cannot steal credentials because they are held in HttpOnly cookies only.
Permissions are encoded in the JWT and verified at the edge before requests reach application code. No role can see more than it is entitled to.
Token validation runs at the nearest Cloudflare data centre, not at a distant origin. Auth checks add ~0ms to perceived latency worldwide.
axion is not a third-party SaaS bolted onto Jamtable. It is a first-party system built to the same standards as the rest of the platform.
| Component | Technology | Role |
|---|---|---|
| Token format | JWT (RS256) | Signed access tokens carry tenant ID, user ID, roles, and expiry. Verified at the edge without a database round-trip. |
| Password hashing | PBKDF2 / SHA-256 | 100,000 iterations applied to all locally-managed passwords. Google SSO users have no Jamtable password at all. |
| Google sign-in | OAuth 2.0 / OIDC | Google Cloud issues an identity token after authentication. axion verifies the signature, issuer, and audience before trusting it. |
| Session storage | HttpOnly Cookie | No localStorage, no sessionStorage. Tokens are inaccessible to JavaScript running on the page. |
| Tenant resolution | Domain lookup | Incoming request hostname is matched to a tenant record in Config DB before any auth logic runs. Unknown domains are rejected. |
| RBAC enforcement | Edge middleware | Permission claims in the JWT are checked by Hono middleware before the route handler executes. Unauthorised requests never reach business logic. |
| Rate limiting | Per-IP / Per-route | Login endpoints: 3 req/min. Auth endpoints: 10 req/min. Brute-force resistance without CAPTCHA friction for legitimate users. |
| Session refresh | Sliding window | axion issues a new token during the final 4 hours of a 24-hour session. The user never sees a mid-session logout. |
axion ships as part of every Jamtable platform deployment. There is nothing to install separately, no SaaS subscription to add, no third-party vendor to trust with your users' identities.