SemaFore portal

SemaFore Admin

Session layer

Log in through the portal BFF.

This form now follows the canonical portal-auth contract. The browser still only sees a signed portal session cookie, while the Go server owns the real JWT exchange behind the seam.

The canonical route is POST /auth/token with aud="portal"; the portal keeps the service token server-side and wraps the response in its own session cookie.

Portal auth
  • The login action runs on the server, not in the browser.
  • The session cookie is httpOnly, signed, and scoped to the portal.
  • Local development still uses the mock seam unless the real portal client is enabled.

Portal access

Sign in to sf-portal

Use the contract-backed login seam to get a portal session. The browser never sees the service token, and the live auth contract stays on POST /auth/token with aud="portal".

Use the portal demo credentials for local development: admin-a@test.semafore.io or super-a@test.semafore.io.