Hub authentication experience
Hub implements the platform Authentication Experience with Hub-owned classes. WordPress remains the credential authority.
Routes
/vexal-login/—vexal_mode=login(default) orlost-password- Unauthenticated Workspace → redirect to
/vexal-login/ wp-login.php— “Vexal Workspace Login” bridge link
Authentication vs authorization vs context
wp_signon proves identity. Hub then routes:
- Operators → Operator Console
- Customers with
vexal_hub_access→ Workspace (context still resolved there) - Others → site home
Lost password
Native Hub form calls WordPress retrieve_password() only for eligible Workspace customers. Unknown / non-customer / admin requests get the same generic success response (anti-enumeration). Set-new-password remains on core WordPress; eligible customers return to /vexal-login/?password-reset=success.
Customer Admin Guard
Workspace customers (vexal_hub_access, not operator/admin) are blocked from wp-admin and the admin bar, and redirected toward Workspace.
Roadmap
- Phase A — Account/site selection UI for
selection_required - Phase B — Safe return URLs after login
- Phase C — Branded logout →
/vexal-login/?vexal_msg=logged_out