'%3e%3crect%20x='118'%20y='118'%20width='276'%20height='216'%20rx='34'%20fill='%230E7490'%20opacity='0.18'%20transform='rotate(7%20256%20226)'/%3e%3crect%20x='94'%20y='96'%20width='300'%20height='236'%20rx='38'%20fill='%23111827'%20opacity='0.14'%20transform='rotate(-7%20244%20214)'/%3e%3cpath%20d='M104%20138C104%20113.699%20123.699%2094%20148%2094H364C388.301%2094%20408%20113.699%20408%20138V302C408%20326.301%20388.301%20346%20364%20346H148C123.699%20346%20104%20326.301%20104%20302V138Z'%20fill='%23111827'/%3e%3cpath%20d='M136%20146C136%20134.954%20144.954%20126%20156%20126H356C367.046%20126%20376%20134.954%20376%20146V262C376%20273.046%20367.046%20282%20356%20282H156C144.954%20282%20136%20273.046%20136%20262V146Z'%20fill='url(%23screen)'/%3e%3cpath%20d='M256%20130L170%20282H342L256%20130Z'%20fill='%23F59E0B'%20opacity='0.2'/%3e%3cpath%20d='M168%20186C202%20153%20270%20145%20306%20178C336%20205%20320%20238%20266%20241L223%20244C194%20246%20181%20262%20196%20277C216%20296%20262%20294%20306%20264'%20stroke='%2306B6D4'%20stroke-width='34'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M156%20314H356'%20stroke='%23F59E0B'%20stroke-width='20'%20stroke-linecap='round'/%3e%3cpath%20d='M188%20350H324'%20stroke='%23111827'%20stroke-width='24'%20stroke-linecap='round'/%3e%3c/g%3e%3c/svg%3e){kind=small}
SlideStage Pro · auth-and-invites
Authentication and Invites in SlideStage Pro
Mirrored docs keep the language used by their source repo. Site chrome stays in your selected language.
SlideStage Pro uses closed registration. Users cannot sign up unless an admin gives them an invite token.
This keeps a self-hosted Pro instance safe for small teams, private VPS deployments, and internal networks.
Roles
Pro v0 needs two roles:
admin: manages invites and platform-level actions.- regular user: uploads and works with accessible decks.
Better Auth handles identity and sessions. Pro adds roles and invite rules.
Login
Login uses Better Auth:
POST /api/auth/sign-in/emailThe browser receives an HttpOnly session cookie.
Invite-gated signup
Signup requires inviteToken.
Missing or invalid tokens return INVITE_REQUIRED.
Invite lifecycle
- Admin creates an invite.
- Pro generates a one-time token.
- The user signs up with that token.
- The server validates the token before creating the user.
- After user creation, the invite is marked used and the role is assigned.
Used, expired, or deleted invites cannot be reused.
Bootstrap admin
On first boot, if there are no users, Pro creates the first admin from BOOTSTRAP_ADMIN_* environment variables.
If no users exist and bootstrap config is missing, the API should refuse to serve.
Cookie setup
In production, session cookies should be HttpOnly, SameSite=Lax, and Secure over HTTPS.
If login immediately disappears, check BETTER_AUTH_URL and reverse proxy headers.
Non-goals for v0
Pro v0 does not include OAuth, passkeys, 2FA, multi-tenant orgs, public registration, or email password reset.
The default boundary remains: registration is closed and admin invites control entry.