First-party BFF browser model
Portal and Console talk to server-owned BFF endpoints so cookies, token exchange, and refresh stay inside the server boundary.
Security follows the same boundaries as the product.
Sageroo keeps identity, authorization, and persistence on the backend. Browser clients operate through same-origin sessions and server-owned account flows instead of browser token storage.
Policy stays on the backend
Frontend apps render the experience, but workflow permissions, workitem visibility, and account actions are enforced by the server.
Guest and public access remain explicitly constrained
Public intake and guest participation are scoped to the work and never imply standing access to unrelated workflows or items.