Option B

Hosted UI Auth Flow

The login button links directly to the auth API endpoint. The Lambda performs the 302 redirect to Midway — no JS redirect needed.

Key difference from Option A: Clicking login navigates directly to /auth/login-redirect. The Lambda returns 302 → Midway instead of JSON. The browser follows the redirect automatically.
1
User clicks login → browser navigates to /auth/login-redirect
2
Lambda returns 302 directly to Midway (no JS needed)
3
User authenticates with Midway (hardware key)
4
Midway redirects to /auth/callback with code
5
Callback Lambda creates session, sets cookie, redirects to app

✅ Authenticated

Session active

Compare with ← Option A: API-Only