Operator access
A short-lived session, not a browser-held credential.
The session service validates key ownership and full scope, then seals the credential in an encrypted HttpOnly cookie. Browser JavaScript receives organization metadata and a synchronized CSRF token only.
API remains tenant authority
Strict same-origin and CSRF enforcement
No localStorage, sessionStorage, or URL credential