Auth + CMS
Authentication has two separate operator-facing boundaries: Better Auth owns web users and sessions, while Payload owns native CMS operator accounts.
Implemented
Section titled “Implemented”- Better Auth is the canonical web-user authority for sign-in, sessions, workforce SSO, access requests, and connector OAuth linked accounts.
apps/webandapps/web-token-replacershare the same web-user auth through@repo/nuxt-auth-layer;apps/authremains the Better Auth authority.cms-customerandcms-leverageuse native PayloadCMS Users, not Better Auth CMS roles.cms-customerexposes read-onlyWeb App Usersand access-request mirrors for operator lookup and review workflows.- Web email/password onboarding uses access requests, admin review, secure completion, and canonical email flows.
- Workforce SSO uses deployment-scoped provider policy, and every workforce provider id remains isolated from connector/social OAuth provider ids.
cms-customerandcms-leveragehave separate env vars, databases, secrets, service keys, auth accounts, and deployment boundaries.
Current Limits
Section titled “Current Limits”- Default-provider auto-redirect is deferred until account-selection and ownership semantics are accepted.
- Real live IdP browser verification against production Google/Microsoft provider registrations remains a separate verification gap.
- CMS role-definition CRUD is deferred beyond the current role-assignment/admin boundaries.
Read Next
Section titled “Read Next”Canonical Sources
Section titled “Canonical Sources”docs/features/authentication/spec.mddocs/features/token-replacer/spec.mddocs/features/authentication/decisions/ADR-009-cms-user-sync-strategy.mddocs/features/authentication/decisions/ADR-010-better-auth-admin-plugin-and-payload-access-control.mddocs/features/authentication/decisions/ADR-011-access-request-mirror-and-auth-authority.mddocs/features/cms-control-plane-split/spec.mdapps/auth/srcpackages/nuxt-auth-layerapps/web-token-replacerapps/cms-customer/srcapps/cms-leverage/src