# Authentication and Invites in SlideStage Pro

SlideStage Pro uses closed registration. Users cannot sign up unless an admin gives them an invite token.

This keeps a self-hosted Pro instance safe for small teams, private VPS deployments, and internal networks.

## Roles

Pro v0 needs two roles:

- `admin`: manages invites and platform-level actions.
- regular user: uploads and works with accessible decks.

Better Auth handles identity and sessions. Pro adds roles and invite rules.

## Login

Login uses Better Auth:

```text
POST /api/auth/sign-in/email
```

The browser receives an HttpOnly session cookie.

## Invite-gated signup

Signup requires `inviteToken`.

Missing or invalid tokens return `INVITE_REQUIRED`.

## Invite lifecycle

1. Admin creates an invite.
2. Pro generates a one-time token.
3. The user signs up with that token.
4. The server validates the token before creating the user.
5. After user creation, the invite is marked used and the role is assigned.

Used, expired, or deleted invites cannot be reused.

## Bootstrap admin

On first boot, if there are no users, Pro creates the first admin from `BOOTSTRAP_ADMIN_*` environment variables.

If no users exist and bootstrap config is missing, the API should refuse to serve.

## Cookie setup

In production, session cookies should be HttpOnly, SameSite=Lax, and Secure over HTTPS.

If login immediately disappears, check `BETTER_AUTH_URL` and reverse proxy headers.

## Non-goals for v0

Pro v0 does not include OAuth, passkeys, 2FA, multi-tenant orgs, public registration, or email password reset.

The default boundary remains: registration is closed and admin invites control entry.