Team Workspace

This track builds an authenticated team-workspace backend from an empty folder to a running, session-protected app under Aspire. You will scaffold a workspace (Postgres by default, swappable to mysql, mssql, or sqlite via --db), sign users in through a pluggable auth backend, give the workspace its own isolated database, provision new members with a background job, and gate your service routes with the real .withAuthz() seam. It is one continuous app — your my-workspace/ grows with every chapter.

What you will build

By the end of this track you will have a NetScript workspace that signs a real user in through an OAuth/OIDC provider, mints a session cookie, stores workspace records in their own isolated Postgres (the default; or mysql / mssql / sqlite via --db), provisions a new member off the request path with a background job, and rejects unauthenticated requests to its guarded routes with a 401 — all running locally under one Aspire dashboard. The central idea: authentication in NetScript is a pluggable backend, a session, and a route-authz seam — not a bespoke rewrite you carry yourself.

The arc: auth → session → authz

Three ideas carry the whole track, and each chapter adds exactly one:

Auth — a backend turns a sign-in into an identity. You pick one of three backends (kv-oauth, workos, better-auth) with an environment variable; the contract is identical across all three.
Session — a successful sign-in mints a normalized AuthSession and sets a session cookie. Every later request resolves the current session from that cookie.
Authz — a service gates its own routes with .withAuthn() (resolve a Principal) and .withAuthz() (decide from it). This is route-level authorization, scoped to route-level — not org/role RBAC.

Who this is for

You should be comfortable with the basics from the core tutorial ladder — scaffolding a workspace, the contract → service flow, and bringing up Aspire. This track does not re-teach those; it assumes you can scaffold and boot, then layers authentication on top. If netscript init and aspire start are new to you, walk the Quickstart first.

The six chapters

1 · Scaffold

Create my-workspace/ with an example service and Postgres, then boot it under Aspire. The base your authenticated app grows from.

2 · Auth

Add the auth plugin, choose the interactive kv-oauth backend, run the auth.prisma migration, and verify a live session on the auth-api service at :8094.

3 · Workspace data

Give the workspace its own isolated database with netscript db add and a per-datasource schema. The app-level orgId column appears here as an Extend aside.

4 · Provision job

Move member provisioning off the request path: author a defineJobHandler job that creates a workspace membership, and trigger it over the Workers API at :8091.

5 · Route authz

Protect your service routes with the real, tested .withAuthn() / .withAuthz() seam — an authenticated request succeeds, an unauthenticated one gets a 401.

6 · Deploy

Run the whole workspace locally under Aspire — including the :8094 auth service — and read it from one dashboard. Shows the local-vs-production topology clearly.

What you built

A clear map of the track: an authenticated team-workspace backend built on a pluggable auth backend, a session, and a route-authz seam — single-tenant by design, with org scoping as an explicit app-level extension. Start at chapter 1 and keep the same my-workspace/ through to deploy.