Demo only. The endpoints under server/api/ simulate a real ClientBE. In production your backend owns the CIBA confidential client and the receipt-introspection step.

What this demo shows

Two production flows from the Elitesoft FinGuard CIBA spec:

CIBA login — type a phone number on /login, the user approves on their phone, the browser receives the JWT.
Web-initiated tx-signing — start a payment on /payment, phone approves, browser gets a receipt JWT to hand to its real backend.

Not signed in

Visit /login to start. The /payment page needs a signed-in user since it talks to AuthServer with a Bearer token.

Where to look

shared/sdk/FinGuardWebSdk.ts is the entry point an integrator copies. server/api/auth/ is the mock ClientBE — port it to your real backend for production.