Skip to content

Auth + CMS

Authentication has two separate operator-facing boundaries: Better Auth owns web users and sessions, while Payload owns native CMS operator accounts.

  • Better Auth is the canonical web-user authority for sign-in, sessions, workforce SSO, access requests, and connector OAuth linked accounts.
  • apps/web and apps/web-token-replacer share the same web-user auth through @repo/nuxt-auth-layer; apps/auth remains the Better Auth authority.
  • cms-customer and cms-leverage use native Payload CMS Users, not Better Auth CMS roles.
  • cms-customer exposes read-only Web App Users and access-request mirrors for operator lookup and review workflows.
  • Web email/password onboarding uses access requests, admin review, secure completion, and canonical email flows.
  • Workforce SSO uses deployment-scoped provider policy, and every workforce provider id remains isolated from connector/social OAuth provider ids.
  • cms-customer and cms-leverage have separate env vars, databases, secrets, service keys, auth accounts, and deployment boundaries.
  • Default-provider auto-redirect is deferred until account-selection and ownership semantics are accepted.
  • Real live IdP browser verification against production Google/Microsoft provider registrations remains a separate verification gap.
  • CMS role-definition CRUD is deferred beyond the current role-assignment/admin boundaries.
  • docs/features/authentication/spec.md
  • docs/features/token-replacer/spec.md
  • docs/features/authentication/decisions/ADR-009-cms-user-sync-strategy.md
  • docs/features/authentication/decisions/ADR-010-better-auth-admin-plugin-and-payload-access-control.md
  • docs/features/authentication/decisions/ADR-011-access-request-mirror-and-auth-authority.md
  • docs/features/cms-control-plane-split/spec.md
  • apps/auth/src
  • packages/nuxt-auth-layer
  • apps/web-token-replacer
  • apps/cms-customer/src
  • apps/cms-leverage/src