Second supports two authentication modes, controlled by theDocumentation Index
Fetch the complete documentation index at: https://docs.second.so/llms.txt
Use this file to discover all available pages before exploring further.
SECOND_AUTH_MODE environment variable.
none mode (local development)
Designed for local development and trusted internal networks. Identity is managed entirely within Second.
How it works:
- User fills out
/onboarding/identity(display name + email). - A local signed session cookie is issued.
- Users without workspace memberships are redirected to
/onboarding/workspace. - Cookie signatures use an auto-generated process secret — no external config needed.
scripts/local-workspace-member.mjs; the seeded user
is added to the workspace’s default General team.
external mode (production)
For internet-facing deployments. Second delegates authentication to your own provider.
Your provider must:
- Resolve the authenticated actor on each request
- Return a stable user identifier
- Map the identity into Second’s
usersand membership model - Sync workspace memberships and roles into Second’s
workspace_memberships - Send and reconcile workspace invitations when collaboration is enabled
external mode is set but no provider extension is present, the app fails fast on startup — you’ll see a clear error rather than silent misbehavior.
External providers should map each workspace to the provider’s organization or
tenant concept. Accepted invitations must upsert the Second user, upsert the
workspace membership with a validated role (owner, admin, or member), and
ensure the user belongs to the workspace’s default General team.
How auth mode affects authorization
Authentication mode only changes where identity comes from. The authorization flow is the same regardless:- Resolve actor (from session cookie or external provider)
- Verify workspace membership
- Check any route-level workspace permission
- Query scoped by
workspaceId