// client_portals
Client Portal Development
Secure customer-facing platforms: accounts, documents, status tracking, billing. The surface your clients touch — engineered so one tenant can never see another.
// what_we_build
What We Build
One login where your clients see their projects, status, and history. Reads are scoped to their tenant at the database, not filtered in the UI.
Upload, review, and delivery flows with per-file access scoping. Every download is authorized and logged — including the ones from expired links.
Live progress your clients check instead of emailing you. State comes from the system of record, so the timeline never lies.
Invoices, payment methods, plan changes. Wired to the payment provider through webhooks and reconciled, so the portal and the ledger agree.
Portals that grow into products. Tenant isolation, roles, and billing are designed as architecture from the first migration.
// how_portals_fail
How Portals Fail
A portal is an attack surface with your clients’ data behind it. These failures are not hypothetical — they are the standard ways customer-facing platforms leak.
TENANT_DATA_LEAK
Client A changes an ID in the URL and reads Client B’s invoices. The query filtered by nothing but trust.
Counter: Isolation is enforced with row-level security at the database. Every query carries the tenant, and cross-tenant access is tested as an attack before launch.
BROKEN_MAGIC_LINK_AUTH
A login link gets forwarded, or a corporate email scanner clicks it first and burns it. Either way, auth breaks in the field.
Counter: Links are single-use, short-lived, and bound to the requesting session — with a confirmation step that survives the scanners.
STALE_STATUS_STATE
The portal says “in review” while the work shipped days ago. The client stops trusting the portal and starts emailing again.
Counter: Status is read from the operational system, not mirrored by hand. When a sync fails, the portal shows the failure instead of the old state.
FILE_ACCESS_WITHOUT_SCOPE
A signed file URL leaks in a forwarded email — and works for anyone, forever.
Counter: File access runs through short-lived, per-user grants tied to tenant scope. Nothing sensitive lives behind a URL that never expires.
// faq
Questions
How is client data isolated?
Do you support SSO and magic links?
What does a client portal cost?
Can the portal integrate with our existing systems?
How long does a portal build take?
If clients email for status because they do not trust the portal — or there is no portal — Discovery is the next step.