Target authentication architecture for SecurityV0 — portal UI, API, and infrastructure access. Three IdPs (GitHub at L1 perimeter, WorkOS at L2 application, Entra at L3 Azure RBAC), four SSH tiers including a narrow Tier-1.5 emergency key, an Active subscription-Owner Entra account (no PIM, no backup SP — 2nd-human-Owner is the rollback) with Security Defaults MFA-on-sign-in.
The single end-to-end overview of how authentication works on the sv0-platform. Read this first if you are a developer or agent landing here. Covers the human (cookie session) and machine (bearer JWT / API key) flows, the four-middleware pipeline, the network perimeter, and where each piece of code lives. Links to the deep-dive docs.
Inventory of every credential a Claude Code session in the SecurityV0 workspace touches in a day, with lifetimes, device-bound flags, a single daily morning-routine script, and an analysis of remote-from-iPhone options.
Research artifact: side-by-side comparison of six authentication providers (WorkOS, Clerk, Stytch B2B, Auth0, Cloudflare Access, roll-your-own) across twelve criteria. Informed ADR-017's selection of WorkOS.