Preview-safe
Production login

Sign in through Supabase Auth, then prove tenant access through ControlLayer.

The web app exchanges credentials only on a server route, stores bounded HttpOnly session cookies, and lets the API resolve roles, permissions, and module access from database membership records.

JWT

Bearer token validated by the API

Tenant

Deterministic tenant claim or selected tenant

RBAC

Database-backed roles only

Review operating modelAccept an invite instead

Roles and permissions are not read from the browser or token claims; the API resolves them from ControlLayer membership records.