Domain Architecture

Overview

Chompardo uses three domains, each with a distinct responsibility.

Domains

chompardo.com — Marketing Site

Public-facing landing page, feature overviews, pricing, and blog. Fully stateless — no auth cookies or session management. Sign-in and sign-up buttons link to identity.chompardo.app.

chompardo.app — Web Application

The main product experience. Users interact with the app here after authentication.

Subdomains:

chompardo.app — The app itself
api.chompardo.app — Backend API (Go modular monolith)
identity.chompardo.app — Authentication (sign-in, sign-up, password reset)

Auth cookies are scoped to *.chompardo.app, covering the app, the API, and the identity service. After successful authentication at identity.chompardo.app, users are redirected to chompardo.app.

chompardo.io — Reserved

Redirects to chompardo.com. Reserved for potential future use (e.g. API docs, developer portal).

Auth Flow

User visits chompardo.com and clicks Sign in
User is sent to identity.chompardo.app
After successful authentication, user is redirected to chompardo.app
Session cookies on *.chompardo.app keep the user authenticated

Design Decisions

No cross-domain auth. The marketing site (.com) has no awareness of auth state. If a logged-in user visits .com, they simply see a sign-in button and are redirected instantly since their session on .chompardo.app is still valid. This avoids the complexity of cross-domain cookies, which browsers increasingly restrict.
.app TLD enforces HTTPS via HSTS preload, providing an extra layer of security by default.

Overview​

Domains​

chompardo.com — Marketing Site​

chompardo.app — Web Application​

chompardo.io — Reserved​

Auth Flow​

Design Decisions​