Narrow auth-first shell for protected admin access.

This first release only proves sign-in, backend bootstrap, role-aware gating, and logout. It does not ship broader admin modules.

Public entry

Dedicated login route for staff users only

Bootstrap source

GET /api/v1/admin-auth/me after OIDC sign-in

Protected exit

POST /api/v1/logout before returning to public state

OpenMedical Admin Portal

Start ZITADEL OIDC sign-in, then let the backend confirm whether the caller is allowed to open the admin shell.

Admin Portal

API origin

The protected admin bootstrap request is sent to this origin after OIDC returns.

OIDC client id

This public client id is used for the PKCE authorize and token exchange flow.

Admin MFA remains enforced in ZITADEL. This frontend only initiates the flow and then consumes the existing protected backend contracts.