> ## Documentation Index
> Fetch the complete documentation index at: https://archie.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Overview

> App Services control authentication, permissions, file storage, and the custom API gateway across your backend.

App Services control authentication, permissions, file storage, and the custom API gateway across your backend. Open any project, switch to the Backend Console, and the **App Services** section is where every cross-cutting concern that sits in front of your Data Model lives.

## What's in App Services

<CardGroup cols={2}>
  <Card title="Authentication Providers" icon="key" href="/features/backend/app-services/authentication-providers/overview">
    Configure how users sign in. Built-in Archie Auth, third-party providers, or both running side by side.
  </Card>

  <Card title="Role-Based Access" icon="shield-halved" href="/features/backend/app-services/role-based-access">
    Define roles and the read, write, update, and delete permissions they grant on every table — including row-level filters.
  </Card>

  <Card title="File Manager" icon="folder-open" href="/features/backend/app-services/file-manager">
    Connect a storage backend (S3, GCS, Azure Blob, Filestack) and serve user uploads through the API.
  </Card>

  <Card title="Custom APIs" icon="route" href="/features/backend/app-services/custom-apis">
    Register HTTP routes that reverse-proxy to internal services with CORS, rate limiting, and circuit breakers.
  </Card>
</CardGroup>

## How App Services fit together

The four sub-areas form one coherent surface around your data:

* **Authentication Providers** decide who can sign in.
* **Role-Based Access** decides what an authenticated user (or an API key) is allowed to do.
* **File Manager** holds files that records reference.
* **Custom APIs** sit in front of internal services and bring them under the same auth and rate-limiting model.

A request flowing through Archie touches each of them in turn: the auth provider issues the token, RBAC checks the operation against the caller's roles, the [GraphQL](/features/backend/graphql-api-explorer/overview) and [REST](/features/backend/rest-api-explorer/overview) APIs serve the data, the File Manager backs any file fields, and a Custom API route can wrap any of that with extra policy.

## Per-environment configuration

Every App Services configuration is **per-environment**. Each [environment](/features/backend/environments/overview) maintains its own:

* Active authentication providers and their secrets
* Roles and their permissions
* File storage providers
* Custom API routes

When you branch a new environment, gateway routes and file-storage configurations can optionally be copied. **Authentication provider secrets and OAuth credentials are never copied** — they have to be re-entered in each environment for security reasons.

## Permissions are the API surface

Whatever you configure in [Role-Based Access](/features/backend/app-services/role-based-access) is what the auto-generated [GraphQL](/features/backend/graphql-api-explorer/overview) and [REST](/features/backend/rest-api-explorer/overview) APIs enforce. There's no separate "API permission" layer — the role grid is the contract.

External clients calling the API use tokens generated under [Backend → Settings → API Keys](/features/backend/settings/api-keys). Roles attach to those keys the same way they attach to authenticated users.

## FAQ

<AccordionGroup>
  <Accordion title="Where do I configure API keys?">
    Under **Backend → Settings → API Keys** — see [API Keys](/features/backend/settings/api-keys). Roles defined in [Role-Based Access](/features/backend/app-services/role-based-access) attach to those keys to control what they can do.
  </Accordion>

  <Accordion title="Are App Services configurations copied between environments?">
    File storage providers and Custom API routes can be copied when you branch a new environment. Roles live per-environment. Authentication provider secrets are deliberately not copied — re-enter them in each environment.
  </Accordion>

  <Accordion title="Can I run multiple authentication providers at once?">
    Yes. Multiple providers can be active simultaneously — for example, Archie Auth for end users and an API Token provider for service-to-service traffic. See [Authentication Providers](/features/backend/app-services/authentication-providers/overview).
  </Accordion>

  <Accordion title="Where do I configure CORS for the auto-generated APIs?">
    Under **Backend → Settings → Network**. The same allowed-origins list applies to GraphQL and REST. For per-route CORS on a [Custom API](/features/backend/app-services/custom-apis), configure it on the route itself.
  </Accordion>

  <Accordion title="What's the difference between RBAC and the auth provider?">
    The auth provider verifies who you are and issues a token. RBAC takes that identity (or an API key) and decides what it's allowed to do on each table. Auth is the doorman; RBAC is the access policy inside.
  </Accordion>
</AccordionGroup>