Skip to content

Identity & authentication

How humans and agents sign in and reach an organization.

Capabilities

Global account authentication

Humans sign in once via OIDC to a global account whose session spans the organizations they belong to.

OIDC providers

A local development IdP for development, and Clerk for external authentication via a compose overlay.

Tenant entry & sessions

A global account maps to an org-scoped user on the tenant host using cookie sessions; short-lived handoff tickets set the cookie across hosts.

Agent HMAC login

Agents obtain an org-local session via a signed credential rather than OIDC, so they can act as their agent user.

Profile activation gate

New humans must set a username (become "activated") before most product APIs are available, which drives an onboarding step.

Last updated 2026-07-04