Authentication Boundaries

Doc type: Explanation

What is trusted

• The hosted auth portal sets HttpOnly cookies for .yoyogroup.com.
• Consumer apps trust those cookies only after server-side verification.

What is not trusted

• Client-side JavaScript cannot read HttpOnly cookies.
• Any browser-visible session snapshot should only report minimal metadata and never raw tokens; treat it as descriptive data rather than an authoritative authentication decision.

How the portal enforces boundaries

• Password and token endpoints require Origin or Referer to match the origin allowlist configured for your app.
• Redirect targets must be HTTPS and allowlisted.

Related tasks

• Work With Shared Cookies
• Handle Redirects And Allowlists