Back-office

Twelve modules. One operator portal. Audit-grade from the first click.

Connect's back-office is the same software our own operators use every day — same RBAC, same audit log, same reports. Below is every module, with the actual screen, the things it does, and the engine that powers it.

Request a demo See pricing

Sessions

Every started, in-flight, and completed charging session — with the OCPP timeline, payment trail, and refund/dispute state attached.

  • Live + history view, status badges (started, charging, terminated, refunded, disputed)
  • Streaming CSV export for the filtered set
  • Click into the OCPP timeline + payment authorization timeline per session
  • Force-cancel with audit trail and operator-attributed reason code
  • Hides offline pill on terminal sessions; stamps resolved_at + audit force-cancel events

Powered by: billing_sessions + session_payment_authorizations tables · charging_attempts audit · OCPP AMQP realtime → state machine

Operator portal — Sessions list with status badges, search, and bulk export

Stations & Locations

Fleet-of-stations view with per-location dashboards, real-time fault panel, OCPP connector classification, and per-location tariff overrides.

  • Per-location dashboard endpoint with stations-by-location lookup
  • Faults panel filtered to OCPP-real faults (vendor codes preserved)
  • Connector classification by powerType, not hardcoded DC heuristic
  • Unified charger-location timezone for session and report alignment
  • Address + city auto-enriched on station creation

Powered by: stations + locations + station_connectors · faults table · per-location analytics aggregator

Operator portal — Stations and Locations dashboard with per-location utilisation and fault counts

Tariffs & Overrides

A tariff catalogue with per-team, per-location, per-connector overrides — and a snapshot of which tariff actually applied to every walk-up session.

  • Tariff catalogue with override count per team and per location
  • Walk-up tariff snapshot enriched with location context (timezone-correct)
  • Connector tariff lookup helper resolves by Citrine connector PK or OCPP id
  • Per-team tariffName + overrides count surfaced on team detail
  • All edits emit audit_logs events (tariffs.create / update / delete)

Powered by: tariffs + tariff_overrides + connector_tariff_assignments · walk-up snapshot writer · audit-mirror

Operator portal — Tariff editor with per-location override panel

Reports

A 23-template reports engine: revenue & P&L, settlement reconciliation, refunds, fleet AR aging, tariff effectiveness, session quality + SLO, network ops uptime, growth & retention cohorts, GDPR data exports, and more — scheduled, signed-URL emailed.

  • 23 templates in catalogue, each tenant-scoped + period-helper shared
  • Saved presets + scheduled runs via report_schedules + tick worker
  • Signed-URL export delivery + GET /runs + GET /export-audit endpoints
  • CSV and XLSX exporters with deterministic column ordering
  • Per-template RBAC: reports.export / reports.schedule / reports.admin

Powered by: report_runs + report_schedules + report_template_settings + export_audit tables · template registry · scheduler worker

Operator portal — Reports catalogue with 23 templates, scheduled runs, and export audit

Audit Log

One append-only event timeline for every financial, OCPP, RBAC, and configuration change — with a daily anchor hash and a verify endpoint so the chain is tamper-evident.

  • Central audit_logs foundation: financial, OCPP, RBAC, settings, push/exports
  • Daily anchor hash + nightly retention + chain verify endpoint
  • Prometheus metrics for emit rate, lag, anchor age
  • Request_id middleware threads correlation through every event
  • Refund + locations + stations + settings emit assertions covered by tests

Powered by: audit_logs table · daily anchor worker · auditEmit + auditEmitTs primitives · audit-mirror modules

Operator portal — Audit log timeline with daily anchor hash and chain verify status

Fleets

Multi-tenant fleets with RFID cards, bulk CSV import, dunning automation, and per-team scope on every report. The Teams→Fleets refactor landed live with no downtime.

  • Fleet RFID issue + bind + revoke with audit trail
  • Bulk CSV RFID import with OCPP 1.6 IdToken length validation (20 chars)
  • Aged-receivables report + dunning automation worker
  • Per-fleet scope on every report template + dashboard aggregate
  • Driver-binding required on fleet card creation; unbound tokens → clean Blocked/TOKEN_UNBOUND

Powered by: fleets + fleet_cards + fleet_invoices tables · dunning worker · Citrine adapter for fleets

Operator portal — Fleets list with RFID card count, AR aging, dunning status, and bulk CSV import

Push Campaigns

Operator-side push campaigns with audience segmentation, scheduling, and a send-effectiveness report. Built on a recoverable APNs HTTP/2 client.

  • BO sort + filter + search + per-row actions on /admin/push/campaigns
  • Per-campaign push & email send-effectiveness template
  • APNs HTTP/2 sessions recover after timeouts (dead-session recovery)
  • Email + push channel parity in the same campaign row
  • Per-user opt-out for the charging-session summary email

Powered by: push_campaigns table · APNs client · send-effectiveness analytics template

Operator portal — Push campaigns list with sort, filter, search, and per-row actions

Users & RBAC

A permission catalogue with scopes like reports.export, reports.schedule, users.export, audit.read — grouped into seeded Departments and assignable per team.

  • Permission catalogue with action + module + description on every permission
  • Seeded Departments (5) with per-department permission bundles
  • Per-team allow/deny rules enforced inside walk-up + fleet branches
  • CSV export of users gated by users.export
  • acquisitionSource exposed on /api/admin/users/:id for funnel reporting

Powered by: permissions + departments + department_permissions + team_permissions tables · TeamAccessRule

Operator portal — Users and RBAC with seeded Departments and per-team scoped access

What's New

An operator-side release-notes module with a prominent-entry flag, localised titles and short summaries, and a catch-up scroll ordering on published_at.

  • Localised title + short_summary per entry
  • Prominent flag for high-signal releases
  • Per-audience filtering: operator-only, driver-only, mixed
  • Backfilled published_at on every entry so catch-up scroll orders correctly
  • Versioned per release line (core, app, operator)

Powered by: whats_new_entries table · whatsnew TS module · audience filtering API

Operator portal — What's New release-notes module with prominent flag and localised entries

Erasure Requests

A GDPR Article 17 surface for receiving, fulfilling, and auditing erasure requests — with PII cascade-delete, audit-log scrub, and auth-token anonymisation.

  • End-to-end PII cascade-delete on user deletion
  • auth_tokens anonymised, leads cascade-deleted
  • Non-critical audit_logs PII scrubbed on user deletion
  • Operator UI to triage + fulfil + verify each request
  • Every erasure step emits a GDPR-typed audit event

Powered by: erasure_requests table · gdpr.* event taxonomy · cascade-delete pipeline

Operator portal — GDPR erasure requests queue with cascade-delete state and audit trail

Settings (Runtime Config)

Tenant-scoped runtime configuration: SMTP, store URLs, EMAIL_FROM_NAME, charging-session-summary email switch, QR-config flags — all editable without a redeploy.

  • SMTP grouping + EMAIL_FROM_NAME + per-tenant FROM headers
  • Store URLs (App Store + Play Store) read via runtime-config
  • QR-config flags (online/offline) without Citrine probe round-trip
  • Descriptive copy + .env.example parity for every allowlisted key
  • Surface deployed commit SHA via /api/version

Powered by: runtime_config table · settings module · /api/version endpoint

Operator portal — Runtime configuration editor with SMTP, store URLs, and per-tenant knobs

API & Webhooks

Everything the back-office does, exposed as REST with OpenAPI 3.1. Webhooks for session start/stop, payment events, and charger state changes. Token-scoped credentials.

  • OpenAPI 3.1 spec, browsable in-portal
  • Token-scoped credentials with per-route RBAC
  • Webhook delivery log with retry + signature verification
  • Rich /health (db + amqp + citrine + disk + memory + cpu)
  • Versioned via /api/version exposing deployed commit + CitrineOS version

Powered by: api_tokens + webhook_deliveries + audit-mirror · rich /health · /api/version

Operator portal — API & Webhooks browser with OpenAPI spec, token scopes, and webhook log

Want a hands-on tour?

Pick a 30-minute slot. We'll log you into a sandbox tenant with the shape of your real network — chargers, tariffs, fleets — and walk every module above.

Request a demo See pricing