.png)
Access & authentication
Two questions sit behind every access decision: who are you, and what are you allowed to do. Bluprint answers both carefully.
Signing in
You can sign in with a magic link / SSO (a secure, email-based link, also used for account recovery) or with a password once you've set one. Either way:
- Auth tokens are stored in HttpOnly, Secure, SameSite cookies — so your session token can't be read by scripts in the browser and isn't sent across sites.
- Companies can set a password policy (minimum length and complexity) and a session timeout, and can require two-factor authentication for everyone.
- You can review and revoke your active sessions — see Security & sign-in.
Role-based access control
Bluprint enforces role-based access control (RBAC) at both the company and project level. The full model is in Roles & Permissions; the security properties worth knowing here:
- Your current membership is the source of truth. Access is checked against your live role — not a cached token — so when an admin changes or revokes your access, it takes effect immediately. Stale credentials can't retain elevated access.
- Least privilege. Roles grant only what's needed; project-scoped actions also require membership of that specific project.
- It fails closed. If a permission can't be confirmed, the answer is no — access is never granted by accident.
Administrative actions are logged
Administrative actions are recorded for audit, in the same tamper-evident audit trail as the rest of the platform — so privileged activity is always accountable.
The AI plays by the same rules
The Associate acts within your exact permissions — it can never do something your role couldn't, and its actions are audited too.
Next
Last updated: 2026-05-31