Noah's Nest login.
Dev/staging Cognito authentication can be enabled through Auth.js for protected dashboard previews. Production auth and PHI-capable workflows remain disabled.
Sign in with Noah's Nest account.
Dev/staging access uses Cognito through Auth.js only when safe server-side configuration is present. Sessions expose only the Cognito user id, email, verification flags, and group-derived app role.
Cognito sign-in unavailableCognito runtime is disabled in production.
Role dashboards require a safe auth session.
The cards below are sample role previews, not account role assignment controls. Opening a protected dashboard without signing in redirects back here. Dev/staging role access is based on Cognito groups and future app-owned RBAC, not hidden UI controls.
Sample parent portal
Preview saved matches, recommended providers, resources, account verification states, and future case access.
Open parent previewSample provider portal
Preview application readiness, assigned case previews, documentation readiness, superbill status, and future payout onboarding.
Open provider previewSample admin command center
Preview referral queues, cases, outcomes, superbill readiness, and partner reporting links with sample data only.
Open admin previewSample clinician referral
Preview the clinician referral experience. This does not submit, transmit, or store referrals.
Open referral previewAuth-aware sample-data boundary
The login preview is protected by Cognito/Auth.js route middleware, but the records shown here are still sample-only. No real PHI, uploads, operational records, payments, claims, billing data, or saved portal state are stored.
Cognito authentication boundary
Authentication now routes through AWS Cognito with Auth.js. Email/phone verification, MFA policy hardening, app-owned RBAC, case-scoped authorization, audit logs, and secure data storage remain required before real PHI-bearing portal workflows go live.
Future verification status
Future MFA status
MFA: planned. Parents and providers may start with optional MFA, while admin, billing, compliance, partner-viewer, and sensitive provider roles require MFA before production access.
Protected route, sample data
Future dashboards now requires Cognito/Auth.js authentication where routed through protected areas. Real records still require app-owned RBAC, case-scoped access, audit logs, secure storage, and security/legal review before they are available.
Future session security
Auth.js session handling is active for Cognito sign-in. Before PHI-bearing workflows, sessions still need approved expiration, revocation, device/session event logging, PHI-safe logs, MFA policy, and legal/compliance review.
Login paths are separated by role claims.
Cognito groups separate parent login, provider login, referring clinician login, and admin/staff login in dev/staging. Staff, admins, and providers should require MFA before any PHI-sensitive or operational access is enabled.
Parent login
Requires parent group.
Provider login
provider_pending cannot access patient/case/referral PHI; provider_approved requires assignment.
Referring clinician login
Referral portal access is group-limited.
Admin/staff login
Admin access requires admin or super_admin group.
No PHI belongs in Cognito sessions.
The session shape is intentionally narrow: Cognito user id, email, and groups/role only. Patient details, referrals, case notes, documents, superbills, insurance information, payment data, and tax data must stay out of Cognito attributes, session callbacks, logs, and token mocks.