> ## Documentation Index > Fetch the complete documentation index at: https://docs.wiresocket.com/llms.txt > Use this file to discover all available pages before exploring further. # Dashboard Overview > Understand how WireSocket manages your account, applications, and authentication tokens. The WireSocket infrastructure is divided into two distinct layers: the **Dashboard** (Technical Control Plane) and the **Data Plane**. While the Data Plane handles the real-time synchronization of your Yjs documents, the **Dashboard** is responsible for the management, security, and regional orchestration of your ecosystem. *** ## Core Elements The Dashboard manages four primary entities: ### 1. Tenant A **Tenant** represents your organization or root account. * Top-level container for resources, billing, and team members. * Each Tenant has its own unique **Signing Keys** for JWT issuance, ensuring cryptographic isolation from other organizations. ### 2. Apps Within a Tenant, you can create multiple **Apps**. Each App represents a specific product or environment. * **Identity**: Each App holds its own unique `client_id` and `client_secret`. * **Data Residency**: Every App is pinned to a **License Region** (e.g., `aws-us-east-1`) during creation. * **Data Isolation**: Document metadata is stored in isolated, regional database shards, ensuring your data is geographically localized and cryptographically separated. ### 3. Plans A **Plan** defines the performance characteristics and usage limits for an App. * **Limits**: Controls maximum concurrent connections, document counts, and operations per minute (OPM). * **The "One Free" Rule**: Each Tenant is limited to **exactly one application on a Free Plan**. Additional applications require a paid subscription. * **Flexibility**: Plans can be upgraded or downgraded through the dashboard. Transition between paid tiers is handled seamlessly with prorated billing. ### 4. Nodes (Infrastructure Registry) WireSocket maintains a **Global Registry** for its physical infrastructure to ensure high availability and intelligent routing. * **Node Management**: We manage a global fleet of WebSocket nodes (e.g., `eu-central-1.wiresocket.net`). * **Regional Orchestration**: The platform allows for zero-downtime maintenance and dynamic fleet scaling. * **Discovery Backbone**: Our infrastructure powers the [Discovery process](/data-plane/dataplane#document-discovery), resolving the best physical node for any document session in real-time. *** ## Security Enforcement WireSocket defines security boundaries at the management layer that are then enforced at the network edge. ### Allowed Domains To prevent **Token Theft**, you can pin an application to up to 3 specific domains (e.g., `myapp.com`, `localhost:3000`). * **Baked-in Security**: These domains are embedded directly into your JWT claims. * **Edge Validation**: Data Plane nodes check the `Origin` header of every incoming connection against these claims. If they don't match, the connection is rejected instantly. *** ## The Token Lifecycle WireSocket uses standard **OAuth 2** flows for account management and synchronization. * **Machine-to-Machine (M2M)**: Your backend server exchanges App credentials for a token, which is then passed to collaborative clients. * **Resource Owner Password**: For interactive dashboard access using trusted identifiers (`client_id` + `client_secret`). ### Best Practice: Token Rotation We support **Refresh Tokens** to minimize the exposure of your sensitive credentials. 1. **Access Token**: Short-lived. Used by your clients to connect to the Data Plane. 2. **Refresh Token**: Long-lived. Used by your backend to request new Access Tokens without needing to re-send the `client_secret`. **Pro Tip**: Your authentication service should fetch the `client_secret` once during a "cold start" to obtain a token pair, then use the Refresh Token for all subsequent rotations. This allows you to purge the sensitive secret from active memory.