CMS Authentication

Client	Type	Used For
`cms`	Public (no secret)	Decap CMS admin login, staff portal, user guides
`veripath-site`	Confidential (has secret)	Legacy — Nuxt Studio OIDC (no longer used)

Route	Requirement	Content
`/admin/`	Any valid Keycloak session	Decap CMS — edit all content
`/api/decap-proxy`	Any valid Keycloak session	Decap CMS API backend
`/internal/`	Any valid Keycloak session	Staff portal, internal policies, business plan
`/guides/`	Any valid Keycloak session	User manuals
`/` (public)	None	Homepage, blog, public policies

Endpoint	Method	Purpose
`/auth/verify`	GET	nginx auth_request target (internal only)
`/api/auth/login`	GET	Initiate OIDC login
`/api/auth/callback`	GET	OIDC callback handler
`/api/auth/session`	GET	Return current session info (JSON)
`/api/auth/logout`	GET	Destroy session

¶ Authentication & Authorization