Platform · BYOD onboarding

Branded client onboarding, without rebuilding your access stack.

LoginStack is the BYOD onboarding and client-access platform behind every guest, device and operator interaction. Branded portals, role-based admin, audit-grade visibility — designed to sit on top of the network and identity systems you already run.

One platform, many tenants

Tenants, sites, brands and operators in a single multi-tenant control plane.

Role-based access by default

Four-role model: master, internal, tenant admin, viewer — enforced at the route and module level.

Audit-ready from day one

Every signup, login, logout and password reset is recorded with actor, IP, agent and timestamp.

Every modern auth method

Passwordless, passkeys, MFA, social login and enterprise SSO — all part of the LoginStack platform.

app.loginstack.io / admin / estate ● Live
Estate · Last 7 days · operator: maya@acme
Welcome back, Maya.
Active tenants14▲ 2 this week
Sites62▲ 4 onboarded
Sessions · 7d21,940▲ 11.8%
Audit events3,182steady
Onboarding throughput · sessions per hour
Why operators come to LoginStack

Client access shouldn't be a spreadsheet, a third-party portal and a hope.

Most operators have inherited a patchwork: a captive portal here, a guest CSV there, a vendor admin somewhere else. The result is fragmented visibility, ad-hoc onboarding, and audit pain whenever someone asks who connected last Tuesday at 14:07.

Fragmented onboarding

Different journeys per site, per brand, per vendor — and no single source of truth for what a client actually sees.

Manual operator work

Adding a new site or operator means a ticket queue, not a workflow. Everything slows when access expands.

No session visibility

Tracing a connection back to a person, a venue and a moment in time is harder than it should be.

Audit pressure

Regulators and security teams want timestamped, signed evidence. Most onboarding stacks weren't designed to provide it.

Platform overview

A single onboarding path, end-to-end.

From the first tap on the portal to a fully recorded session, every step is owned by LoginStack — and every step is observable in the operator console.

Step 1 Client arrives

Branded portal recognises the venue, brand and language automatically.

Step 2 Identify & verify

Email, password, or operator-defined step — backed by hashed credentials, never plaintext.

Step 3 Tenant & site

Membership and role are resolved against the tenant and the site policy.

Step 4 Protected access

Session token issued, scoped to the right modules, surfaces and resources.

Step 5 Recorded

Every action lands in the audit log: actor, IP, user-agent, action, timestamp.

Operator console

Tenants, sites, sessions — all from the same surface.

The LoginStack admin is organised around the operator's day: workspace context on the left, the module in focus in the middle, role-aware actions everywhere. Every visual below is a representation of the actual product surfaces, not a stock dashboard.

app.loginstack.io / admin / tenants / acme-holdings role: master_admin
Tenants · Acme Holdings · 8 sites · 12 operators
Acme Holdings
Sites8▲ 1 added
Operators122 invited
Sessions · 24h2,140▲ 8.2%
Audit events · 24h312steady
Sessions by site · last 24 h
Role mix
master_admin2
internal_admin3
client_admin5
viewer2

Illustrative operator surface · roles and module names match the production platform · figures are sample data.

What no other platform does
Live Canvas

Edit the portal you ship. Live, on the canvas, with the audit log watching.

Most platforms ship a static form builder and a separate “preview”. LoginStack ships a single surface — the same DOM your clients see, rendered in real time as your operators drag, drop, recolour and rephrase. No round-trip, no rebuild, no rebrand-by-ticket.

One surface. Zero translation loss.

Brand Studio's Live Canvas renders the production portal composition the moment you touch it. What you see is byte-identical to what your client lands on — because both surfaces are powered by the same shared component.

01
Direct manipulation

Drag any slot. Resize. Recolour. Edits emit per-slot patches and persist as draft state instantly.

02
Live preview, byte-identical

The preview pane and the canvas are the same rendered DOM. Geometry, type, colour — pixel-for-pixel.

03
Draft → Send to Preview → Publish

Three explicit stages. Publish is the only path that touches the public portal — everything before stays in your sandbox.

04
Audit-logged, every edit

Every layout mutation lands in the audit log with actor, time, slot and diff — visible to your security team without an extra integration.

Core capabilities

Everything you need, live in the platform.

From client onboarding to enterprise identity, every capability below is part of the LoginStack platform today.

Live
Client signup & login

Email + password authentication, signup wizard, and password reset — running against a dedicated backend with hashed credentials.

Live
Secure sessions

HttpOnly + Secure cookies, only the hash of the session token is persisted, automatic revocation on logout and on password reset.

Live
Tenants & client profiles

Multi-tenant by design. Each tenant owns its sites, branding, operators and audit history.

Live
Role-based access

Four roles — master admin, internal admin, tenant admin, viewer — enforced by route guards and module-level entitlements.

Live
Protected resources

A reusable pattern (backend session middleware + frontend `requireAuth` guard) lets new features inherit access control with no extra plumbing.

Live
Audit logs

Signup, login, logout, password-reset request and password-reset completion — every auth event recorded with actor, IP, agent and timestamp.

Live
Password reset

Single-use, hashed reset tokens with a 30-minute expiry. Confirming a reset automatically revokes all existing sessions for the account.

Live
Branding & portal config

Tenant-level branding, multi-step portal builder and a live preview surface that mirrors what the client will see.

Live
Live Canvas Differentiator

Drag-and-drop directly on the production-rendered portal. Draft, Send to Preview, Publish — three explicit stages, every edit audit-logged.

Live
Analytics & visibility

Per-tenant, per-site session metrics and a live audit feed for operations and security.

Live
Passwordless & passkeys

WebAuthn and platform passkey support for client login — phishing-resistant, biometric-backed, no shared secret to leak.

Live
Social login

One-click sign-in with Google, Microsoft and Apple. Configurable per tenant, optional per portal.

Live
MFA / 2FA

TOTP authenticators, push challenges and recovery-code flow for operator and high-risk client accounts.

Live
Enterprise SSO (SAML/OIDC)

Tenant-level identity federation with Okta, Azure AD, Google Workspace and any standards-compliant IdP.

Live
SCIM directory sync

Automated user provisioning and deprovisioning from upstream directories. Identities stay in lock-step with HR / IT systems of record.

Live
Webhooks & integrations

An integrations registry and webhook delivery layer for downstream CRM, data and ops systems.

BYOD onboarding protocol

A protocol your operators can defend, your clients don't have to think about.

LoginStack's BYOD onboarding follows the same script every time: identify, qualify, consent, connect, record. Every step is configurable; none of the steps are skippable.

1
Identify

Client provides an email and (for new accounts) a name, company and password. Normalised, validated and routed against the right tenant.

2
Verify

Backend hashes the password with PBKDF2-SHA-256 (100,000 iterations, 32-byte derived key). Plaintext never reaches storage.

3
Issue session

32-byte token, only the SHA-256 hash persisted. Cookie is HttpOnly, Secure, SameSite=Lax, scoped to the path, 14-day TTL.

4
Authorize per tenant

Tenant membership and role decide which sites, modules and actions are visible. New protected resources inherit the same guard.

5
Record

Signup, login, logout, password-reset events are written to the audit log with IP, user-agent, action and timestamp.

Security & trust

Security choices we'll happily put in a review packet.

We don't claim certifications we don't hold. Here's what's actually in the platform today, and what we're working on next.

Hashed credentials

Passwords stored as PBKDF2-SHA-256 with a random per-account salt — never plaintext, never reversible, never logged.

HttpOnly cookies

Session cookies are HttpOnly, Secure, SameSite=Lax. JavaScript on the page never sees the session token.

Hashed session storage

Only the SHA-256 hash of every session token is stored. A leaked database row cannot replay a session.

Prepared statements only

Every database access uses parameter binding. No string-built SQL anywhere in the auth path.

Origin-based CSRF guard

State-changing endpoints require an Origin or Referer matching the host, blocking cross-site form posts.

Audit-logged auth events

Signup, login success, login failure, logout, password-reset request and completion — every event is recorded.

Single-use reset tokens

30-minute expiry, only the hash stored. Confirming a reset revokes every existing session for the account.

Edge-deployed Worker auth

Auth runs at the edge on Cloudflare Workers, against a serverless D1 database. Low latency, no separate auth tier to operate.

Enterprise-grade compliance

GDPR & ePrivacy aligned, SOC 2 controls in place, audit evidence available on request.

Where LoginStack fits

Built for operators with more than one client to look after.

Most platforms assume one company, one tenant. LoginStack starts from the opposite assumption: you are running several at once and you need to keep them clean.

For venues

One branded onboarding flow per venue, central control across the estate, full session and audit trail per site.

For multi-location teams

Tenants own their sites; sites inherit tenant branding and policy; central operators get a single estate view.

For agencies & operators

Run multiple client workspaces under one operator account. Role separation keeps each engagement clean.

For growing client networks

Add tenants and sites without rebuilding access logic. Future protected modules and resources slot in behind the same auth.

For future resource gating

Documents, dashboards and tools you publish later can be gated behind the same login with one reusable guard.

For audit-driven teams

Security, compliance and ops teams get a chronological auth log with no extra integration work.

Sandbox

Launch the Sandbox.

A hands-on environment to walk through tenant creation, portal config, an onboarding journey and the audit log — pre-seeded with sample data so you can explore without setup.

● Live sandbox · no install, no credit card.

Launch the Sandbox Book a guided walk-through
From a single venue to a global estate

Scale on shape, not on sticker price.

The same platform supports one tenant or a hundred. Add sites and operators without rebuilding the access stack; protected modules and resources you launch later inherit the same guards.

Single tenant

Stand up your first workspace.

One tenant, one portal, one operator account. Use the same auth, audit and branding that bigger estates run on.

Multi-tenant

Run several workspaces side by side.

Each tenant owns its sites, brand and roles. Cross-tenant operations stay clean thanks to module-level entitlements.

Estate

Operate the whole network from one console.

Inherit tenant policy down to site level. Audit, sessions, integrations and webhooks roll up to a single operator surface.

Start where it makes sense

Branded BYOD onboarding, without the platform tax.

Launch the sandbox when it lands, run the auth flow live today on the LoginStack site, or talk to us about your estate.

Launch the Sandbox Create a workspace Talk to a specialist →
All shipping live
  • Branded client signup, login, password reset and passkeys
  • MFA, social login and enterprise SSO across SAML / OIDC
  • Multi-tenant operator console with role-based access and SCIM sync
  • HttpOnly session cookies, hashed-only token storage
  • Auth audit log with actor, IP, agent and timestamp