Reference for how authentication, users, tenants, and per-tenant configuration work in sv0-platform. For the operational end-to-end flow, see [Authentication, end-to-end](../runbooks/authentication-end-to-end.md).
Cloudflare Zero Trust Access configuration for non-prod SecurityV0 environments. Prod is gated by WorkOS hosted login only.
[SUPERSEDED by ADR-016 and ADR-017] Dual-mode auth — GitHub OAuth with org-gate for internal admins, email magic link with whitelist for early clients
Adopt a B2B multi-tenant authentication architecture with an external identity provider as source of truth, URL-scoped tenants, SecurityV0 as its own organization, and cross-tenant super-admins via internal-org membership.
Select WorkOS as the identity provider for sv0-platform. Provides AuthKit (hosted login), enterprise SSO with self-serve Admin Portal, Directory Sync, and magic-link passwordless — free at evaluation scale, per-connection pricing at enterprise scale.
Target authentication architecture for SecurityV0 — portal UI, API, and infrastructure access. Three IdPs (GitHub at L1 perimeter, WorkOS at L2 application, Entra at L3 Azure RBAC), four SSH tiers including a narrow Tier-1.5 emergency key, an Active subscription-Owner Entra account (no PIM, no backup SP — 2nd-human-Owner is the rollback) with Security Defaults MFA-on-sign-in.
Quick-reference runbook for any agent, CI job, connector, or external script that needs to authenticate against the sv0-platform API. Covers the three live machine-auth paths and explicitly forbids replicating the deprecated personal-agent bridge.
Placeholder for SecurityV0 API documentation
Four-PR plan to delete the personal-agent bridge, collapse three super-admin allowlists to one, and clean up the legacy authMiddleware + OIDC + redirect/cookie env duplications. Reduction-only — no new features. The plan is itself a simplification of an earlier six-step draft that mirrored the accretion pattern it was trying to fix.
The single end-to-end overview of how authentication works on the sv0-platform. Read this first if you are a developer or agent landing here. Covers the human (cookie session) and machine (bearer JWT / API key) flows, the four-middleware pipeline, the network perimeter, and where each piece of code lives. Links to the deep-dive docs.
Inventory of every credential a Claude Code session in the SecurityV0 workspace touches in a day, with lifetimes, device-bound flags, a single daily morning-routine script, and an analysis of remote-from-iPhone options.
Research artifact: side-by-side comparison of six authentication providers (WorkOS, Clerk, Stytch B2B, Auth0, Cloudflare Access, roll-your-own) across twelve criteria. Informed ADR-017's selection of WorkOS.
ServiceNow connector authentication guide — OAuth 2.0 Client Credentials (recommended) and API key options with tradeoffs
Plan to implement dual-mode user authentication for sv0-platform (GitHub OAuth for admins, email magic link for clients), replacing the REQUIRE_AUTH=false production bypass per ADR-012.
Phased implementation plan for adopting WorkOS as the identity provider, rebuilding tenant/user/membership model, URL-scoping tenants to /t/:slug, and establishing the SecurityV0 super-admin pattern. Implements ADR-016 and ADR-017.
Manual one-time config to brand the WorkOS AuthKit hosted-login page with the SecurityV0 [S] mark — field-by-field panel values, logo asset, and verification, repeated per WorkOS environment (Staging + Production).
Operational truth for the prod WorkOS environment — orgs, DNS, Google OAuth client, auth methods, cookie config, and cutover gotchas. Single source to check before touching any auth-adjacent record.