Security
Security model
The portal is designed around scoped authorization, review gates, and least-privilege API access.
OIDC Claims
Apps receive verifiable subject, audience, organization, and entitlement context.
Scoped APIs
API calls are checked against scopes and organization ownership.
Safe Clients
Public apps use PKCE while confidential apps protect client secrets server-side.