Every Arcadier marketplace exposes three portals, each corresponding to a primary role. All portals communicate with the same backend API layer. Arcadier enforces role-based access control (RBAC). A user’s role determines:
Which portal they can access.
Which data they can view or manage.
Which API endpoints they can call.
Portal
Role
Primary Capabilities & Access
Admin Portal
Admin
Marketplace operator.
Governs platform configuration, user management, categories, commissions, and payment gateways.
View and manage platform-wide orders, invoices and transactions.
Track marketplace performance and view analytics.
Accessed by Admins only.
Can promote users to Admin, Consumer or Seller roles.
Merchant Portal
Merchant (Seller)
Marketplace sellers - Upgraded from Consumer role (via UI or API).
Manages own listings (inventory or services), storefront, shipping and pickup options.
View, update and fulfill their own orders.
View, communicate and negotiate with buyers.
Track own performance and view analytics.
Accessed by Merchants and their sub-accounts.
User Portal (Buyer-facing website)
Consumer
End users - Default role assignment for all new user accounts.
Buyer-facing storefront, search and discovery of listings.
Multi-item, multi-merchant cart and checkout experience.
View, communicate and negotiate with merchants.
View order history and order tracking.
Accessed by Buyers (registered and guest) and their sub-accounts.
Any
Sub-User
Invited by a primary account (Admin, Merchant, Consumer)
Restricted permissions within the parent's portal (e.g., read-only, edit-only, etc).
Only access data within the parent account scope.
Role-Based API Enforcement
Role enforcement occurs at the token level. Tokens are tied to a role context and determine what the API will allow:
Merchant tokens cannot call admin-only endpoints.
Buyer tokens cannot access merchant resources.
Admin tokens can access platform-wide resources, subject to scopes and permissions.
