Cargo A/C
Integration

Platform Owner

How the single permanent Super User is defined, protected, and recognized across every Cargo application.

Mohit Singh SagarSuper User · Owner

Account CA-0000000001 — the one and only platform owner. This designation is permanent and cannot be deleted, demoted, or duplicated.

Exactly one, forever

A single account holds the super_admin role. Backend triggers block any attempt to remove it, reassign it, or grant super_admin to anyone else — and auto-restore it if it ever goes missing.

Protected profile

The owner's profile cannot be deleted, and is always kept as an internal, active account regardless of any edit attempt.

Signed claim, not config

The owner is identified by an is_owner claim emitted into every signed token. Apps read this claim — they never hardcode an email or ID.

Recognized everywhere

Each spoke validates tokens against the identity provider's JWKS and treatsis_owner: true as the highest authority for owner-only surfaces.

Token claim

The owner's signed token carries these claims. The owner flag is the field your app should trust.

ID / access token claims
{
  "sub": "<owner-user-id>",
  "cargo_account_number": "CA-0000000001",
  "user_type": "internal",
  "roles": ["super_admin"],
  "is_owner": true
}

Recognizing the owner in a spoke

After verifying the token signature against the published JWKS, gate owner-only actions on the claim.

Verification gate
// Trust the identity provider's signed token (verified via JWKS),
// then treat the owner claim as the single source of truth.
function isPlatformOwner(claims) {
  return claims.is_owner === true;
}

// Example gate for an owner-only action in any spoke:
if (!isPlatformOwner(session.claims)) {
  return reject("Reserved for the platform owner");
}

Paste-ready brief for app teams

Hand this to every internal and client application so they recognize the platform owner consistently.

Distribute to spokes
Platform Owner (Super User) — recognition brief

Every Cargo application must recognize a single permanent platform owner.

• Identity: the owner is the one account whose signed token carries
  "is_owner": true. There is exactly one, always.
• Do NOT hardcode emails, names, or account numbers to detect the owner.
  Read the "is_owner" claim from the verified token only.
• The owner always holds the highest role ("super_admin") and an
  "internal" user_type. These cannot be revoked.
• Owner-only surfaces (destructive platform actions, global config) must
  gate on the "is_owner" claim, not on role lists alone.
• Tokens are validated against the identity provider's published JWKS.
  No shared secret is required and none should be stored.