OSS-first docs
These docs teach the open system first: contracts, generated surfaces, runtimes, governance, and incremental adoption. Studio shows up as the operating layer on top, not as the source of truth.
Domain docs
AuthOS
Identity, roles, permissions, sessions, and tenant-safe access decisions, with one session authority and consistent multi-surface enforcement.
Source packages
Start with packages/modules/auth-os, then use the spec and runtime packages as compatibility boundaries.
packages/libs/authos-spec
packages/libs/authos-runtime
packages/libs/identity-rbac
packages/integrations/authos-better-auth
Platform stance
Define the domain once. Render web and mobile with platform-native shells after contract, role, tenant, and policy resolution.
Canonical surfaces
Sign-in, sign-up, magic-link, email-OTP, OAuth/OIDC, and session contracts
Multi-factor authentication (TOTP) and recovery codes
Organization, team, and admin management
RoleMorph and identity-rbac role/permission gates
Tenant-aware authorization with fail-closed access decisions
Web (Next.js) and native mobile (Expo) auth surfaces from one AuthOsAdapter port
Implementation notes
better-auth is the credential/session identity provider via the authos-better-auth bridge; keep the provider adapter outside the domain contract.
identity-rbac is the live role/permission authority: project the session into a Subject through the authos-runtime SubjectProvider before generated UI or workflow surfaces render.
Route every credential and plugin sign-in path through a single session-authority hook so exactly one authoritative session is minted with an active organization (fail-closed on missing membership).
Enforce policy.auth consistently across REST, GraphQL, and MCP runtimes (401 unauthenticated, 403 unauthorized); treat a transiently unavailable RBAC store as a retryable 503, never a silent 401.
A capability is only marked runtime-backed when a real plugin/adapter implements it, enforced by a build-time spec-to-adapter parity check. Passkeys/WebAuthn, SSO/SAML, SCIM, and audit-log capabilities are explicitly deferred until their providers are wired.
Domains overview
Navigate AuthOS, BillingOS, CompanyOS, CommunicationOS, and other product operating domains across web and mobile.
BillingOS
Implement plans, subscriptions, invoices, payments, entitlements, and billing evidence across web and mobile.
Why ContractSpec
Keep educational and comparison content reachable without letting it define the primary OSS learning path.