SECURITY
Authentication
Cognito User Pools + JWT authorizer.
Customer & admin pools
StartupCore deploys separate Cognito User Pools for org portal (customer) and admin portal. Users sign up / sign in with email+password or Hosted UI. App clients issue access tokens (JWT).
Calling the API
Send Authorization: Bearer <accessToken> on tenant routes. API Gateway JWT authorizer validates the token. GET /me returns tenantId, roles, and permissions.
Portals (BFF)
Org/admin Next.js apps expose POST /api/auth/login (BFF) which proxies to POST /auth/login on the StartupCore API. The API Lambda calls Cognito USER_PASSWORD_AUTH and returns { accessToken, refreshToken, userId, tenantId }. Set httpOnly cookies in the BFF — never expose refresh tokens to browser JS.
Widget & server keys
Browser: public_widget pk_live_* only. Backend: secret_server sc_live_* with X-StartupCore-Api-Key-Id for POST /widget/sessions/authenticated.