Two identity surfaces, side by side
The pools are independent. A user with acustomer@example.com account on Acme’s app does not have a gavAI account. An operator who can patch Acme’s pages does not, by virtue of that, have an end-user record inside Acme’s app. The two never share a session, a credential, or a token.
The control-plane operator surface is documented under Authentication. This page documents the end-user surface, which is what your visitors see when they sign in to the app you built.
What the runtime supports
Each workspace’s identity service supports the patterns end users actually expect from a modern app. You enable the ones you want on the workspace’s auth configuration — you do not build them. A single workspace can offer all three at once. The end user picks the method on the sign-in page; the platform unifies them under one identity record once they have signed in.Password reset, MFA, and lockout
All three are platform-owned. You configure them, you do not write them.Session lifetime and refresh
End-user sessions are short-lived access tokens paired with a refresh token. The defaults — access TTL, refresh TTL, idle timeout — are workspace-configurable and applied consistently across passkey, password, and federated sign-in. A workspace owner can revoke any end-user session immediately — the next refresh attempt fails, and any in-flight access token is rejected on next use.End users in capabilities
TheauthUser capability returns the currently signed-in end user’s profile and roles. Capabilities that act on the end user’s behalf — runQuery reading rows owned by them, storeFile writing to their bucket prefix — automatically pick up the session and resolve ownership against it.
Two consequences worth holding: