AuthKit ↔ Azure SWA spike (server-verified variant)

Flow: /api/auth/login → hosted AuthKit (magic code) → /api/auth/callback exchanges the code server-side → HttpOnly session cookie → /api/whoami verifies the access token via WorkOS JWKS.

Sign in (WorkOS Magic Auth) Sign out

/api/whoami (server-side JWKS verification result)

loading…