Authentication foundation is preserved.

Checks

• Curva still renders the same Descope flow for login.
• Google is marked enabled in Curva auth configuration.
• Google provider claims already map cleanly into Curva identities.

Next steps

• Keep Google connected in the Descope flow.
• Re-run a full login from /login after any flow changes.

Checks

• Curva renders a native email OTP form on /login.
• The Descope browser SDK supports sign-up-or-in and verification for email OTP.
• The hosted flow can still omit email OTP without breaking Curva email-code login.

Next steps

• Send a code to a real email address from /login.
• Verify the code and confirm Curva routes to onboarding or profile.
• Optionally add email OTP to the hosted flow later for a single Descope-only surface.

Checks

• Curva renders the hosted flow directly on /login.
• Custom Descope domain configured: https://auth.curva.com.
• Passkey/WebAuthn is already present in the live hosted flow.

Next steps

• Keep the passkey/WebAuthn path published in the hosted flow.
• Verify passkey registration and repeat sign-in on /login.

Checks

• Missing or placeholder Apple env keys: APPLE_SERVICE_ID, APPLE_APP_ID, APPLE_TEAM_ID, APPLE_KEY_ID.
• Custom Descope domain configured: https://auth.curva.com.
• Apple still needs provider setup in Descope and the Apple button/path added to the flow.

Next steps

• Replace placeholder Apple env vars in Curva with real values.
• Restart the API and web app after updating env.
• Configure the Apple provider in Descope using your Apple app credentials.
• Add Apple to the referenced Descope flow and publish it.
• Test the Apple login path from /login.