@orangy server side we extract the username and token from the cookie (typically a mangled GUID with some extra information around it), do a lookup against the DB to see if that “session” token still exists and if it hasn’t expired yet, if not exist or expired, return error 403 in which case the user needs to log in. If that token exists, extract the user or company which can now be sent along to every method. So for a multi tenancy system, you’d extract the user and the user’s company which will then be used to filter data. Permissions is also happening based on this user / company data retreived from the session table