Authentication is handled by the Gravity Server authentication process.
When a user opens your app for the first time, they will be asked to sign in (or create a free account). If the user is successfully authenticated on the server, the sign in form executes a callback to the signin method contained in the AppContext and passes the user object.
The sign in process then executes three tasks:
Stores the user object (token, permission, name) in local storage
Sets the Bearer token for all API calls
Prompts the user to allow push notifications (if they haven't already)
Redirects the user to the dashboard
The next time the app is loaded, the app will check the auth status of the user and direct them to /signin if there isn't an active token.
User permissions for the client app are stored in /app/config.json under permissions.