Vexal Documentation by WileyLabs

Intake authentication experience

Stable

Versions: 1.0.027 (post-reset bridge), 1.0.028 (native lost-password + notices)

Intake owns the client-facing authentication UI. WordPress owns credentials. Product rules own who may use the lead inbox.

Client account portal

Route: /vexal-intake/account/ with modes:

  • wi_mode=login
  • wi_mode=register (invitation / approved flow)
  • wi_mode=lost-password (1.0.028)

1.0.027 — Post-reset bridge

  • After WordPress password reset, eligible Intake clients return to the account portal with password-reset=success
  • “Vexal Intake Client Login” link on wp-login.php
  • Administrators keep core recovery UX

1.0.028 — Native lost-password & polish

  • Lost-password form inside the account portal (no intentional first hop to wp-login.php?action=lostpassword)
  • Calls WordPress retrieve_password() for eligible clients only
  • Generic anti-enumeration success copy
  • Allow-listed account notices
  • Remember Me + accessible show/hide password
  • Secure set-new-password still uses WordPress core

Layers

Authentication (WordPress)
  ↓
Authorization (Intake owner / invite / inbox rules)
  ↓
Client dashboard (leads) — no wp-admin

No WordPress admin for clients

Lead owners use Intake front routes. They are not given an Operator Console or wp-admin workflow for day-to-day lead work.

See also