In-house staff identity
Tenant staff sign in with email and password held by the platform itself — no third-party identity provider in the login path. Passwords are stored as bcrypt hashes, logins are rate-limited per address and account, and responses never disclose whether an email exists. Sessions are short-lived signed tokens carried in httpOnly, Secure cookies.