Language: English EspaƱol
Bounded Context: Identity
Owner Aggregate: UserAccount
Functional Traceability: FS-18
PasswordCredential represents the protected local authentication secret of a UserAccount. It exists only for accounts using internal authentication. The web application manages it from User Accounts > Credentials; it never reads a password hash or historical credential identifier.
stateDiagram-v2
[*] --> Active : Set initial password
Active --> Historical : Rotate password
Historical --> [*] : Retained for audit only
| Surface | Contract | Behavior |
|---|---|---|
| REST command | POST /user-accounts/{userAccountId}/passwords |
Sets or rotates a local password. The API creates the BCrypt hash. |
| GraphQL query | User account fields hasActivePassword, passwordUpdatedAtUtc |
Returns status information only. |
| Web view | User Accounts > Credentials |
Offers a compact set/rotate form for eligible internal accounts. |
PasswordHash is never returned in REST or GraphQL projections.ErrorId; full diagnostics are kept in Serilog/Grafana Loki logs.