Option A

API-Only Auth Flow

The app calls the auth API to get a redirect URL, then JavaScript performs the redirect. No hosted UI page required.

1
App calls GET /auth/login → receives {redirect_url}
2
JS redirects browser to Midway
3
User authenticates with Midway (hardware key)
4
Midway redirects to /auth/callback with code
5
Callback Lambda creates session, sets cookie, redirects to app

✅ Authenticated

Session active
Compare with Option B: Hosted UI →