Separate cookie-based auth system for clients. They get their own login experience, completely scoped to their data with granular permissions.
The client portal uses an entirely separate authentication system from the staff dashboard. Clients authenticate with email and password, receiving an httpOnly session cookie (client_session_token) that scopes all their API requests to their own client ID. There is zero chance of a client accidentally seeing another client's data — the scoping happens at the API layer, not just the UI layer.
Invite clients to the portal by email. They receive a branded invitation with a link to set their password and complete their profile. The invitation specifies which permissions the client will have — invoice viewing, approval capabilities, comment access — so you control exactly what each client contact can see and do from the moment they first log in.
Each client user is assigned a set of permissions: canViewInvoices, canApproveWork, canAddComments, and more. Permissions are evaluated on every API request and used to conditionally render navigation items and page content. A client's marketing manager might have full access, while their CEO only sees invoices and high-level project status — same client account, different permission sets.
The client portal uses a clean, dedicated layout separate from the agency dashboard. Clients see a focused sidebar with only the sections relevant to them — dashboard, projects, approvals, gallery, invoices, and notifications. No internal tools, no other client data, no agency operations. The experience is professional and purpose-built for external stakeholders.