The private demo, admin pages, and chat API use app-level session authentication with rate limiting and audit logging.