Client portal — sharing project visibility

Token-scoped read-only links for owners and developers.

Open /projects/[id] → “Share with client” panel. Pick what to share — IPCs, milestones, ₹ amounts, recent uploads — pick an expiry, and Aayu mints a single-use token. The link surfaces exactly once at creation; we store only the SHA-256 hash so a DB leak can't replay it.

What the client sees

An unauthenticated read-only page with the project header, the scopes you granted, and nothing else. No links back into the auth flow; the surface is deliberately sealed.

Revoking

Same panel — click Revoke on any active link. Effective immediately; cached photos in the client's browser stop working at the next request.

Audit

Every share-link create + revoke writes an audit row. The portal page also bumps lastViewedAt so the manage UI shows “viewed 3 hours ago” against active links.

Anything missing here? Email support — include the URL and your firm name.