Auth Model

Authentication is already a first-class part of the starter, not a placeholder left for the buyer to invent from scratch.

Current Default Shape

• auth is handled through Convex Auth
• provider configuration lives in the backend package
• the starter supports Google OAuth and email OTP flows
• at least one auth provider must be enabled for a deployment

What Buyers Should Understand

• auth is not spread across ad hoc frontend-only logic
• backend-authenticated identity is the real enforcement boundary
• provider selection is configurable without changing the repo shape
• product access flows are separated across org, portal, and platform surfaces

Where Auth Lives

• packages/backend/convex/auth.ts
• packages/backend/convex/auth.config.ts
• provider modules under packages/backend/convex/providers/*

Practical Implications

• you can evaluate real sign-in flows early
• you can switch or refine enabled providers without reorganizing the app architecture
• auth state is already aligned to the Convex-backed application model

What You Will Still Customize

• which auth providers are enabled
• provider credentials and env
• exact account lifecycle behavior for your product
• any stricter security policies such as 2FA enforcement

Related Docs

• local-setup.md
• evaluator-troubleshooting.md
• billing-model.md
• permissions-and-capabilities.md
• integrations-matrix.md
• integrations-and-api.md
• ../product/surfaces-and-host-model.md