בס״ד

The Easy-Auth Pattern — person-friendly, behind your login (the standard going forward)

docs/PORTAL_AUTH_PATTERN.md · last changed (pre-VM history) · rendered from GitHub master

The Easy-Auth Pattern — person-friendly, behind your login (the standard going forward)

Locked Jun 30, 2026. The Schwab re-auth went from "desktop-only, fiddly, 30-second-window fragile""one page on your iPad: open → tap Authorize → paste → done, with a ✅ status banner." That's not a one-off — it's the pattern for every connection Sam owns. Learn it once, apply it everywhere.

The pattern (apply to every API)

The future-friendly standard: everything behind ONE login

All of it lives at ops.hookstreetservices.com behind Cloudflare Access (Sam's Google login). One login → the cockpit, the connections, the briefs, the re-auths. No keys in URLs, no per-tool logins, no desktop. It's his. The baked-key Apps Script page works today; the real version is the same page served through the portal so CF Access gates it.

Connections to bring under this pattern (Sam already has access)

Connection Today Easy-auth page to build
Schwab (898, live quotes) ✅ keyed one-page (stopgap) migrate behind CF Access
Plaid (banks/cash) re-link breaks silently a "re-link" page w/ status (same expiry pain)
IBKR (3rd brokerage) alerts only API connect page when funded
Hospitable (STR PMS) PAT token token-health page
Finnhub (quotes/news) key key-health page
Google (Cal/Gmail/Drive) MCP (agent layer) surface status on the hub

→ A single Connections hub on the portal: every source, its live status, one-tap re-link. CF-Access-gated.

Make it fun + interactive (Sam's ask — design direction)

The portal shouldn't feel like a config panel. It should feel alive:
- Tap-to-act everywhere (already the home/cockpit direction) — every card does something.
- Live status that updates — green/amber dots, ages, "last refreshed" — the system talks back.
- Progress you can feel — the 2.5%/mo target as a gauge/streak; drawdown as a dial; "dollar working hardest" nudges.
- The cockpit as a command center, not a spreadsheet — the thing Sam wants to open, not excavate.

Ownership

MIS provides the connection specs + the engine pieces. Brain/#042 owns the portal + CF Access + the connections hub. Pattern proven on Schwab (MIS/v2 fn=schwabsetup); generalize from there.

Source trail · docs/PORTAL_AUTH_PATTERN.md @ master · rendered 2026-07-02 7:23 PM EDT by scripts/build-docs.py · the .md in the repo is the truth; this page is the phone-readable view