Skip to main content
The Self-Service Portal uses multiple layers of security to protect your congregation’s data while keeping the experience simple for members.

Authentication Model

The portal uses passwordless authentication via email OTP (One-Time Password):
  1. Member enters their email address
  2. A 6-digit code is sent to their inbox
  3. The code is valid for a limited time window
  4. Upon verification, a portal token is issued
Portal tokens are separate from the main application’s Supabase Auth sessions. They are purpose-built for the limited scope of portal actions.

Portal Tokens

PropertyValue
Token typeUUID v4
Default expiry90 days from issuance
Storagemember_portal_tokens table
ScopeSingle member, single tenant
RevocationAdmin can delete token to revoke access

Tenant Slug

Each organization has a unique slug used in the portal URL. This ensures:
  • Visitors register to the correct church
  • All data queries are scoped to the tenant
  • No cross-tenant data leakage
Example URL: https://app.adoraplan.com/portal/register/gracechurch

Security Best Practices

For Admins:
  • Review pending registrations promptly
  • Revoke tokens for members who leave
  • Use a recognizable tenant slug (your church name)
  • Monitor the Care Dashboard for unusual registration activity

Data Access Scope

Portal members can only access:
  • ✅ Their own profile
  • ✅ Their own family members
  • ✅ Public events for their tenant
  • ✅ Their own roster assignments
  • ✅ Their own prayer requests
  • ❌ Other members’ profiles
  • ❌ Admin functions
  • ❌ Care request management
  • ❌ Cross-tenant data

Visitor Registration

The registration and approval flow

Portal Overview

All portal features at a glance