Hello Francis,

To answer your question partially, username/ password validation happens on GCP server. We do a POST request and send a JSON object with those values filled in. If the login succeeds, we send back a token. Nginx is really working just as a proxy here. Something like this on browser Network debug log,

Request URL: https://xxxxx.us/gcp/users/auth
Request Method: POST
Status Code: 401
Remote Address: xxx.xxx.xxx.xxx
Referrer Policy: strict-origin-when-cross-origin

In this case 401 is valid (I am on IPv4) as the user/ pass was wrong.

Payload:
{username: "johnie", password: "yespapa", remember: null}

Successful login will return 200 and an object that looks something like this,

access_token: "a.b.c.d"
attributes: {
"username": "string",
"roles": []
etc...
}

Thanks,
Suvendra