Auth & Organizations
Full authentication with email, Google OAuth, and email verification. Multi-tenant organizations with teams, invitations, and role-based access control — all wired in and ready to use.
Organization settings — manage details, members, invitations, teams, and usage from a single dashboard.
Email + password authentication
Standard email and password sign-up and sign-in with required email verification before account activation.
- Email + password with Zod validation on all forms
- Required email verification before access is granted
- Sign-in with 'Keep me signed in' option
- Powered by better-auth with 11+ auto-managed endpoints
Google OAuth
One-click social sign-in with Google. Users can sign up or sign in with their Google account alongside email+password.
- Google sign-in button on both sign-up and sign-in pages
- Automatic account linking when email matches
- OAuth credentials managed server-side
Email verification & password reset
Two verification modes — OTP (6-digit code) or magic link — configurable via environment variable. Full password reset flow with email delivery.
- OTP: 6-digit code sent via Resend
- Magic link: one-click verification via email
- Configurable via AUTH_VERIFICATION_METHOD env var
- Password reset with email delivery and token expiration
- Inline verification flow on 403 responses
Multi-tenant organizations
Full organization support with onboarding, settings, and a sidebar switcher. Users can belong to multiple orgs and switch between them.
- Organization onboarding with name field and auto-derived slug
- Org settings: general (name, slug, logo, delete), members, invitations, teams, usage
- Sidebar dropdown for switching between orgs or 'Personal' mode
- Skip option for users who only need personal accounts
- Organization logo upload
Teams
Nested team structure within organizations. Create teams, add members, and assign team-level roles for granular access control.
- Create and delete teams within an organization
- Add members and assign team-specific roles
- Three-tier permission model: org admin, team-admin, member
- Usage analytics scoped by team for team-admins
- Team Files tab in the file dashboard
Member invitations
Invite new members to your organization via email. Invitations include a dedicated acceptance page with auth-needed, expired, and not-found states.
- Email invitations sent via Resend with branded templates
- Dedicated /accept-invitation page with state handling
- Accept and decline buttons with auto-redirect
- Cancel pending invitations from org settings
- Redirect chain support for protected entry points
Session management
Sessions automatically carry organization and team context. Auth works consistently across tRPC, chat API, and server components.
- New sessions auto-assigned to user's organization context
- activeOrganizationId and activeTeamId tracked on the session
- Consistent auth across tRPC procedures, chat API, and server components
- Post-signup hook creates a Stripe customer in the background
- User deletion supported
Role-based access
| Role | Permissions |
|---|---|
| Owner | Full control over the organization. Can delete the org, manage billing, and promote members. |
| Admin | Can manage members, invitations, teams, and org settings. Cannot delete the org. |
| Member | Standard access. Can use the chatbot, manage own files and memories within the org scope. |
Auth, orgs, and teams — already wired.
You're not buying a starter kit and planning a rewrite later.
