Console
The console is a Next.js 14 static export deployed to S3 + CloudFront at
app.<domain>. It is the web surface for tenant owners, developers, and
platform admins.
Pages
| Route | Who sees it | Purpose |
|---|---|---|
/login | All | Cognito Hosted UI redirect (social + email/password) |
/pending | New users | Shown when approval_status=pending; wait for admin approval |
/onboarding | Approved new users | Workspace creation form |
/workspaces | All | List the user’s workspaces; owners can delete their own |
/ | All | Dashboard: proxy URL, getting-started checklist, quick actions |
/proxy | All | Proxy setup: OS-specific install snippets, env-var precedence warning |
/users | Owner | Invite/remove users, see role + grant status |
/grants | Owner | Grant editor: model picker, region picker, budget field |
/keys | All | API key list: create (raw value once), revoke, see name/last-used/expiry |
/models | All | Model catalog; developers see their grant’s filtered list |
/billing | All | Billing dashboard tabs: “My Usage”, “Tenant Billing” (owner) |
/settings | Owner | Tenant settings: name, default region, slug, tier, Stripe portal |
/admin | Platform admin | Tenant list, user approval, tier management |
Auth flow in the frontend
- The app checks
localStoragefor Cognito tokens on mount. - If absent or expired → redirect to
/login→ Cognito Hosted UI → PKCE → return with tokens. - The
use-authhook refreshes tokens automatically. - API requests carry
Authorization: Bearer <access_token>; a 401 triggers a single refresh-and-retry.
AuthGuard calls GET /v1/tenants/me after login and redirects users
with no active tenant to /onboarding (skipping the call when already on
/onboarding to avoid a redirect loop).
API client conventions
src/lib/api.ts attaches the bearer token, runs snakelizeKeys() on
request bodies, sends query params camelCase (no conversion), runs
camelizeKeys() on responses, and retries once on a 401 after refreshing
the token.
Last updated on