Client signup & login
Email + password authentication, signup wizard, and password reset — running against a dedicated backend with hashed credentials.
LoginStack is the BYOD onboarding and client-access platform behind every guest, device and operator interaction. Branded portals, role-based admin, audit-grade visibility — designed to sit on top of the network and identity systems you already run.
Tenants, sites, brands and operators in a single multi-tenant control plane.
Four-role model: master, internal, tenant admin, viewer — enforced at the route and module level.
Every signup, login, logout and password reset is recorded with actor, IP, agent and timestamp.
Passwordless, passkeys, MFA, social login and enterprise SSO — all part of the LoginStack platform.
Most operators have inherited a patchwork: a captive portal here, a guest CSV there, a vendor admin somewhere else. The result is fragmented visibility, ad-hoc onboarding, and audit pain whenever someone asks who connected last Tuesday at 14:07.
Different journeys per site, per brand, per vendor — and no single source of truth for what a client actually sees.
Adding a new site or operator means a ticket queue, not a workflow. Everything slows when access expands.
Tracing a connection back to a person, a venue and a moment in time is harder than it should be.
Regulators and security teams want timestamped, signed evidence. Most onboarding stacks weren't designed to provide it.
From the first tap on the portal to a fully recorded session, every step is owned by LoginStack — and every step is observable in the operator console.
Branded portal recognises the venue, brand and language automatically.
Email, password, or operator-defined step — backed by hashed credentials, never plaintext.
Membership and role are resolved against the tenant and the site policy.
Session token issued, scoped to the right modules, surfaces and resources.
Every action lands in the audit log: actor, IP, user-agent, action, timestamp.
The LoginStack admin is organised around the operator's day: workspace context on the left, the module in focus in the middle, role-aware actions everywhere. Every visual below is a representation of the actual product surfaces, not a stock dashboard.
Illustrative operator surface · roles and module names match the production platform · figures are sample data.
Most platforms ship a static form builder and a separate “preview”. LoginStack ships a single surface — the same DOM your clients see, rendered in real time as your operators drag, drop, recolour and rephrase. No round-trip, no rebuild, no rebrand-by-ticket.
Brand Studio's Live Canvas renders the production portal composition the moment you touch it. What you see is byte-identical to what your client lands on — because both surfaces are powered by the same shared component.
Drag any slot. Resize. Recolour. Edits emit per-slot patches and persist as draft state instantly.
The preview pane and the canvas are the same rendered DOM. Geometry, type, colour — pixel-for-pixel.
Three explicit stages. Publish is the only path that touches the public portal — everything before stays in your sandbox.
Every layout mutation lands in the audit log with actor, time, slot and diff — visible to your security team without an extra integration.
From client onboarding to enterprise identity, every capability below is part of the LoginStack platform today.
Email + password authentication, signup wizard, and password reset — running against a dedicated backend with hashed credentials.
HttpOnly + Secure cookies, only the hash of the session token is persisted, automatic revocation on logout and on password reset.
Multi-tenant by design. Each tenant owns its sites, branding, operators and audit history.
Four roles — master admin, internal admin, tenant admin, viewer — enforced by route guards and module-level entitlements.
A reusable pattern (backend session middleware + frontend `requireAuth` guard) lets new features inherit access control with no extra plumbing.
Signup, login, logout, password-reset request and password-reset completion — every auth event recorded with actor, IP, agent and timestamp.
Single-use, hashed reset tokens with a 30-minute expiry. Confirming a reset automatically revokes all existing sessions for the account.
Tenant-level branding, multi-step portal builder and a live preview surface that mirrors what the client will see.
Drag-and-drop directly on the production-rendered portal. Draft, Send to Preview, Publish — three explicit stages, every edit audit-logged.
Per-tenant, per-site session metrics and a live audit feed for operations and security.
WebAuthn and platform passkey support for client login — phishing-resistant, biometric-backed, no shared secret to leak.
One-click sign-in with Google, Microsoft and Apple. Configurable per tenant, optional per portal.
TOTP authenticators, push challenges and recovery-code flow for operator and high-risk client accounts.
Tenant-level identity federation with Okta, Azure AD, Google Workspace and any standards-compliant IdP.
Automated user provisioning and deprovisioning from upstream directories. Identities stay in lock-step with HR / IT systems of record.
An integrations registry and webhook delivery layer for downstream CRM, data and ops systems.
LoginStack's BYOD onboarding follows the same script every time: identify, qualify, consent, connect, record. Every step is configurable; none of the steps are skippable.
Client provides an email and (for new accounts) a name, company and password. Normalised, validated and routed against the right tenant.
Backend hashes the password with PBKDF2-SHA-256 (100,000 iterations, 32-byte derived key). Plaintext never reaches storage.
32-byte token, only the SHA-256 hash persisted. Cookie is HttpOnly, Secure, SameSite=Lax, scoped to the path, 14-day TTL.
Tenant membership and role decide which sites, modules and actions are visible. New protected resources inherit the same guard.
Signup, login, logout, password-reset events are written to the audit log with IP, user-agent, action and timestamp.
We don't claim certifications we don't hold. Here's what's actually in the platform today, and what we're working on next.
Passwords stored as PBKDF2-SHA-256 with a random per-account salt — never plaintext, never reversible, never logged.
Session cookies are HttpOnly, Secure, SameSite=Lax. JavaScript on the page never sees the session token.
Only the SHA-256 hash of every session token is stored. A leaked database row cannot replay a session.
Every database access uses parameter binding. No string-built SQL anywhere in the auth path.
State-changing endpoints require an Origin or Referer matching the host, blocking cross-site form posts.
Signup, login success, login failure, logout, password-reset request and completion — every event is recorded.
30-minute expiry, only the hash stored. Confirming a reset revokes every existing session for the account.
Auth runs at the edge on Cloudflare Workers, against a serverless D1 database. Low latency, no separate auth tier to operate.
GDPR & ePrivacy aligned, SOC 2 controls in place, audit evidence available on request.
Most platforms assume one company, one tenant. LoginStack starts from the opposite assumption: you are running several at once and you need to keep them clean.
One branded onboarding flow per venue, central control across the estate, full session and audit trail per site.
Tenants own their sites; sites inherit tenant branding and policy; central operators get a single estate view.
Run multiple client workspaces under one operator account. Role separation keeps each engagement clean.
Add tenants and sites without rebuilding access logic. Future protected modules and resources slot in behind the same auth.
Documents, dashboards and tools you publish later can be gated behind the same login with one reusable guard.
Security, compliance and ops teams get a chronological auth log with no extra integration work.
A hands-on environment to walk through tenant creation, portal config, an onboarding journey and the audit log — pre-seeded with sample data so you can explore without setup.
● Live sandbox · no install, no credit card.
The same platform supports one tenant or a hundred. Add sites and operators without rebuilding the access stack; protected modules and resources you launch later inherit the same guards.
One tenant, one portal, one operator account. Use the same auth, audit and branding that bigger estates run on.
Each tenant owns its sites, brand and roles. Cross-tenant operations stay clean thanks to module-level entitlements.
Inherit tenant policy down to site level. Audit, sessions, integrations and webhooks roll up to a single operator surface.
Launch the sandbox when it lands, run the auth flow live today on the LoginStack site, or talk to us about your estate.