Web SSO login

Heplon serves a single-page web app at its site root. Users sign in with their company SSO; the login flow runs server-side, so the browser holds only an opaque session cookie — never a token.

What the app shows

StateWhat you see
Logged outA "log in" affordance and no user identity.
Logged inYour identity (at minimum name or email) and your tenant, plus a log-out action.

Session endpoints

The app reads and drives the session through these endpoints (cookie-based, not Bearer-token):

MethodPathPurpose
GET/api/auth/loginStart the login flow; redirects to Keycloak.
GET/api/auth/callbackOAuth callback; opens a session, sets the session cookie.
GET/api/auth/meReturns { name/email, tenant }, or reports unauthenticated.
POST/api/auth/logoutInvalidate the session and clear the cookie.
PropertyValue
Default nameheplon_session (HEPLON_WEB_SESSION_COOKIE)
FlagsHttpOnly, Secure, SameSite
Default lifetime8 hours (HEPLON_WEB_SESSION_TTL_SECS)
ContentsAn opaque session id only. No tokens.

Access and refresh tokens are held server-side, keyed by the session id. They never appear in any browser-visible response, URL, or cookie.

See also