Web SSO login
Heplon serves a single-page web app at its site root. Users sign in with their company SSO; the login flow runs server-side, so the browser holds only an opaque session cookie — never a token.
What the app shows
Session endpoints
The app reads and drives the session through these endpoints (cookie-based, not Bearer-token):
The session cookie
Access and refresh tokens are held server-side, keyed by the session id. They never appear in any browser-visible response, URL, or cookie.
See also
- Authoritative behaviour:
web-app-shell,web-bff-auth.