Reference for how authentication, users, tenants, and per-tenant configuration work in sv0-platform. For the operational end-to-end flow, see [Authentication, end-to-end](../runbooks/authentication-end-to-end.md).
Adopt a B2B multi-tenant authentication architecture with an external identity provider as source of truth, URL-scoped tenants, SecurityV0 as its own organization, and cross-tenant super-admins via internal-org membership.
Adopt Terraform + hybrid repo structure (new sv0-infrastructure for cross-cutting, existing in-repo modules stay) + Terraform Cloud free tier for state and runners. Design modules so each customer tenant can be stamped out as an independent stack for dedicated-deployment clients.
Serve EU and US clients via per-region MongoDB Atlas clusters with app-side tenant routing instead of a single MongoDB Atlas Global Cluster, with an explicit control-plane / tenant-data-plane split and region-tagged connector API keys to keep all hot-path lookups region-local.
Per-tenant connector instances, scoped scans, scan history, scheduling — the control plane that replaces today's manual connector invocations.
How a single global app domain (app.securityv0.com) serves tenants in different regions via per-region MongoDB Atlas clusters with application-side tenant routing — with phased deployment topology, request flow walkthroughs, and cost progression.
Research artifact: side-by-side comparison of six authentication providers (WorkOS, Clerk, Stytch B2B, Auth0, Cloudflare Access, roll-your-own) across twelve criteria. Informed ADR-017's selection of WorkOS.
Phased implementation plan for adopting WorkOS as the identity provider, rebuilding tenant/user/membership model, URL-scoping tenants to /t/:slug, and establishing the SecurityV0 super-admin pattern. Implements ADR-016 and ADR-017.