Reference for how authentication, users, tenants, and per-tenant configuration work in sv0-platform. For the operational end-to-end flow, see [Authentication, end-to-end](../runbooks/authentication-end-to-end.md).
[SUPERSEDED by ADR-016 and ADR-017] Dual-mode auth — GitHub OAuth with org-gate for internal admins, email magic link with whitelist for early clients
Adopt a B2B multi-tenant authentication architecture with an external identity provider as source of truth, URL-scoped tenants, SecurityV0 as its own organization, and cross-tenant super-admins via internal-org membership.
Research artifact: side-by-side comparison of six authentication providers (WorkOS, Clerk, Stytch B2B, Auth0, Cloudflare Access, roll-your-own) across twelve criteria. Informed ADR-017's selection of WorkOS.