Auth
Human authentication is WorkOS AuthKit; the portals (portal,
portal-business) sign in through it. Machine/storefront auth (Vendure) is
separate and intentionally retained (see decision record).
Organizations & roles
Section titled “Organizations & roles”- Each tenant maps to a WorkOS organization. Provisioning mints one keyed on
business.id(see Provisioning). - Access is gated by org membership and role. Gates are strict — there is no
silent
memberfallback; a missing owner role is fixed by thebackfill-workos-owner-role.tsscript, not by re-adding a shim.
Two allowlists (the common footgun)
Section titled “Two allowlists (the common footgun)”WorkOS has two separate allowlists, and both must include each origin:
- Redirect URIs — where AuthKit may return after login.
- Allowed Origins — which web origins may initiate the flow.
Configuring only the first produces a silent /callback redirect loop. Add the
origin to both for every environment (including localhost in dev).
Shared primitives
Section titled “Shared primitives”@nexus/auth-client— shared WorkOS AuthKit React primitives.@nexus/workos-auth— server-side gates/roles helpers.
SSE scoped tokens (stoken)
Section titled “SSE scoped tokens (stoken)”Server-Sent Events streams (notifications, convergence) are authorized with a
short-lived scoped token (stoken), not a long-lived ?token= query param
(a security migration). The stoken is minted per stream and expires quickly. See
the Glossary.