SECURITY

Authentication

Cognito User Pools + JWT authorizer.

Customer & admin pools

StartupCore deploys separate Cognito User Pools for org portal (customer) and admin portal. Users sign up / sign in with email+password or Hosted UI. App clients issue access tokens (JWT).

Calling the API

Send Authorization: Bearer <accessToken> on tenant routes. API Gateway JWT authorizer validates the token. GET /me returns tenantId, roles, and permissions.

Portals (BFF)

Org/admin Next.js apps expose POST /api/auth/login (BFF) which proxies to POST /auth/login on the StartupCore API. The API Lambda calls Cognito USER_PASSWORD_AUTH and returns { accessToken, refreshToken, userId, tenantId }. Set httpOnly cookies in the BFF — never expose refresh tokens to browser JS.

Widget & server keys

Browser: public_widget pk_live_* only. Backend: secret_server sc_live_* with X-StartupCore-Api-Key-Id for POST /widget/sessions/authenticated.