dev-towi6qrmubkmo0d6.us.auth0.comAll EnvForge identity flows should use this Auth0 tenant for user authentication and organization login context.
Docs / Auth0 and authorization
Use Auth0 for identity and organization login context, then let the EnvForge backend mirror users and organizations and enforce product permissions for every dashboard, CLI, and gateway action.
tenantdev-towi6qrmubkmo0d6.us.auth0.com
audiencehttps://api.envforge.ai
apps: Web App / CLI / Gateway
roles: owner / admin / developer / viewer / billing
authorization: EnvForge backend
Setup anchors
The Auth0 side should identify the user, tenant, organization login context, application surface, and API audience. Product permissions remain an EnvForge backend responsibility.
dev-towi6qrmubkmo0d6.us.auth0.comAll EnvForge identity flows should use this Auth0 tenant for user authentication and organization login context.
https://api.envforge.aiTokens for EnvForge product APIs should target this Auth0 API identifier before requests reach the backend.
Web App / CLI / GatewayKeep Auth0 clients separated by product surface so dashboard, terminal, and gateway sessions can be reasoned about independently.
EnvForge backendAuth0 proves who signed in. EnvForge mirrors users and organizations, then decides which product actions are allowed.
Auth0 applications
EnvForge Web App, EnvForge CLI, and EnvForge Gateway all start from Auth0 identity, but the backend still decides what that signed-in identity may do inside the product.
Browser login for the dashboard against the EnvForge Auth0 tenant and API audience.
Checks mirrored user, organization, product role, project access, and billing permission before dashboard actions.
Terminal sign-in for envforge login using the same identity and organization login context.
Issues a CLI session only after the backend authorizes organization membership and workspace permissions.
Gateway application for authenticated product and gateway session handoff.
Enforces workspace, service, signed dev link, and role checks before forwarding to product or runtime surfaces.
Identity handoff
Treat Auth0 as the source of identity and login context, not the product permission engine. The backend should check the mirrored EnvForge user and organization on every product request.
Auth0 tenant + audienceThe user signs in through the EnvForge Auth0 tenant, with the requested organization context and API audience attached to the product session.
Auth0 subject -> EnvForge userThe backend mirrors the Auth0 user and organization into EnvForge records so authorization can be audited and enforced inside the product model.
owner/admin/developer/viewer/billingEvery dashboard, CLI, and gateway request is checked against EnvForge product roles plus project, workspace, billing, and dev-link permissions.
dashboard / CLI / gatewayEnvForge opens only the authorized product surface. Identity alone does not grant shell, runtime admin, secrets, billing, or signed dev link control.
Product roles
Keep the role vocabulary in EnvForge so permissions stay tied to product behavior: organization management, project work, workspace access, dev link sharing, billing, and read-only review.
Org ownershipControls organization-level authority, owner assignment, high-risk policies, billing authority, and final permission changes.
Org operationsManages projects, members, workspace policies, signed dev link controls, and normal organization settings.
Workspace workOpens workspaces, runs envforge up, creates authorized dev links, and inspects runtime readiness for assigned projects.
Read-only accessReads projects, workspace state, usage, docs, and approved signed dev links without changing product configuration.
Spend controlsManages plan, payment, usage caps, and invoices without inheriting broad code or workspace administration.