Intake authentication experience
Intake owns the client-facing authentication UI. WordPress owns credentials. Product rules own who may use the lead inbox.
Client account portal
Route: /vexal-intake/account/ with modes:
wi_mode=loginwi_mode=register(invitation / approved flow)wi_mode=lost-password(1.0.028)
1.0.027 — Post-reset bridge
- After WordPress password reset, eligible Intake clients return to the account portal with
password-reset=success - “Vexal Intake Client Login” link on
wp-login.php - Administrators keep core recovery UX
1.0.028 — Native lost-password & polish
- Lost-password form inside the account portal (no intentional first hop to
wp-login.php?action=lostpassword) - Calls WordPress
retrieve_password()for eligible clients only - Generic anti-enumeration success copy
- Allow-listed account notices
- Remember Me + accessible show/hide password
- Secure set-new-password still uses WordPress core
Layers
Authentication (WordPress)
↓
Authorization (Intake owner / invite / inbox rules)
↓
Client dashboard (leads) — no wp-admin
No WordPress admin for clients
Lead owners use Intake front routes. They are not given an Operator Console or wp-admin workflow for day-to-day lead work.