Reference for how authentication, users, tenants, and per-tenant configuration work in sv0-platform. For the operational end-to-end flow, see [Authentication, end-to-end](../runbooks/authentication-end-to-end.md).
Select WorkOS as the identity provider for sv0-platform. Provides AuthKit (hosted login), enterprise SSO with self-serve Admin Portal, Directory Sync, and magic-link passwordless — free at evaluation scale, per-connection pricing at enterprise scale.
Pick a persistent store for delegated_agent audit log entries. Recommend Grafana Cloud Loki (already adopted by ADR-019, free at pilot scale) for general-purpose audit retention, with a small Mongo audit_logs collection reserved only for the customer-facing 'who did what' query surface once a tenant asks for one.
Target authentication architecture for SecurityV0 — portal UI, API, and infrastructure access. Three IdPs (GitHub at L1 perimeter, WorkOS at L2 application, Entra at L3 Azure RBAC), four SSH tiers including a narrow Tier-1.5 emergency key, an Active subscription-Owner Entra account (no PIM, no backup SP — 2nd-human-Owner is the rollback) with Security Defaults MFA-on-sign-in.
Quick-reference runbook for any agent, CI job, connector, or external script that needs to authenticate against the sv0-platform API. Covers the three live machine-auth paths and explicitly forbids replicating the deprecated personal-agent bridge.
Four-PR plan to delete the personal-agent bridge, collapse three super-admin allowlists to one, and clean up the legacy authMiddleware + OIDC + redirect/cookie env duplications. Reduction-only — no new features. The plan is itself a simplification of an earlier six-step draft that mirrored the accretion pattern it was trying to fix.
The single end-to-end overview of how authentication works on the sv0-platform. Read this first if you are a developer or agent landing here. Covers the human (cookie session) and machine (bearer JWT / API key) flows, the four-middleware pipeline, the network perimeter, and where each piece of code lives. Links to the deep-dive docs.
Canonical inventory of every GitHub Environment / repo secret used by sv0 deploys, CI, and tooling. One row per secret: name, repo, scope, exact workflow files that consume it, purpose, status. Includes a VM ↔ secret mapping for migration planning.
Research artifact: side-by-side comparison of six authentication providers (WorkOS, Clerk, Stytch B2B, Auth0, Cloudflare Access, roll-your-own) across twelve criteria. Informed ADR-017's selection of WorkOS.
Pre-client readiness plan for MediaPro pilot (early May 2026). Two architectural decisions (WorkOS auth + MongoDB Atlas) pre-resolve the auth and database P0s found in the original six-perspective adversarial review. Remaining pilot work is grouped by capability across observability, connectors, analyst workflow, and client-facing artifacts.
Phased implementation plan for adopting WorkOS as the identity provider, rebuilding tenant/user/membership model, URL-scoping tenants to /t/:slug, and establishing the SecurityV0 super-admin pattern. Implements ADR-016 and ADR-017.
Manual one-time config to brand the WorkOS AuthKit hosted-login page with the SecurityV0 [S] mark — field-by-field panel values, logo asset, and verification, repeated per WorkOS environment (Staging + Production).
Operational truth for the prod WorkOS environment — orgs, DNS, Google OAuth client, auth methods, cookie config, and cutover gotchas. Single source to check before touching any auth-adjacent record.