Auth model

Auth is not yet implemented in apps/backend/src/. This page describes the intended contract. It becomes live once code lands under apps/backend/src/ and the corresponding route handlers are exported through the Hono app. Until then, treat every section below as a future-direction specification, not a description of behavior that exists today.

Current state

Today, apps/backend/src/index.ts exposes the Hono app with the route handlers that have already shipped — primarily OpenAPI and a small set of placeholder endpoints. There is no auth route, no session middleware, and no user record persistence in code. The Cloudflare Worker runs without an authentication layer.
CapabilityStatus today
Authentication routesNot implemented
Session middlewareNot implemented
User record persistenceNot implemented
OAuth provider wiringNot implemented
Consent category gating on routesConsent contract authored; not yet enforced
See Backend overview for the current route layout and API reference for the implemented HTTP surface. Both are auth-free as of this writing.

Intended model

When auth lands, Clay adopts a B2C, owner-of-vault model. Each person is the sole owner of their vault, their translated signals, and their consent grants. Sharing requires explicit, reversible permission per category. The candidate library for implementation is Better Auth — a TypeScript-native auth framework with first-class Hono integration, broad OAuth provider coverage, and a database adapter layer that pairs naturally with the intended Hyperdrive boundary. The vendor snapshot at docs/vendor/better-auth/llms.txt is the reference material; no code depends on it yet. See Reference materials below for the snapshot location and refresh workflow.
Better Auth is the candidate, not a commitment. The contract on this page describes what Clay’s auth needs to do, not which library will do it. If a different auth implementation lands first, the model on this page stays the same; only the implementation changes.

Properties the implementation must satisfy

1

Owner-of-vault

Each authenticated principal is the sole owner of their personal knowledges, intentions, and personality signals. No co-tenant, no shared-ownership path.
2

Consent-gated sharing

External sharing — fit briefs, intro drafts, taste signals — requires an explicit, scoped grant from the owner. Categories and recipients are surfaced at the moment of share and are reversible.
3

Server-side session authority

Sessions live on the server. The client receives an opaque cookie or token; the server is the source of truth for who is currently authenticated.
4

OpenAPI-aligned route surface

Auth routes are registered through the same Hono + @hono/zod-openapi pattern as the rest of the backend. Schemas are exported with the rest of the OpenAPI document.
5

Worker-friendly runtime

The auth implementation must run inside the Cloudflare Worker runtime. Long-lived state — if any — lives in the intended Hyperdrive boundary, not in Worker memory.
Auth does not replace the consent contract. The intended auth surface exposes the consent categories as first-class grants, so the server can refuse a request that depends on a category the user has not enabled.
CategoryAuth-level concern
Check-insPermission to push notifications and outbound messages.
Opportunity suggestionsPermission to read vault content when producing fit briefs.
IntroductionsPermission to write draft shares to external recipients on the user’s behalf.
RemindersPermission to schedule and trigger follow-up nudges.
DebriefsPermission to ask for outcome checks after accepted opportunities.
See Consent for the full contract: the translated-signals rule, the category table, and the consent UI treatment.

Data residency rules

1

User-owned data stays in the user vault

Auth credentials, session records, and personal knowledges live in the same database boundary as the rest of the user’s data. There is no separate auth silo.
2

Worker runtime is stateless

The Cloudflare Worker holds no long-lived user state between requests. Sessions resolve through the database on each call.
3

No raw database URLs in source

Auth code reaches the database through the intended Hyperdrive binding, never through a raw connection string committed to the repo.
4

OAuth provider data is scoped

When an OAuth provider is wired, the scopes Clay requests must be the minimum needed for the intended features. Broader scopes require a written justification in the matching ADR.
5

Cookies are scoped to Clay

Auth cookies are issued with the minimum surface area Clay needs. Cross-subdomain sharing is off by default and requires an explicit decision.

Acceptance criteria

The auth contract is considered implemented only when all of the following are true in code, not just in this page:
1

Auth routes exported through OpenAPI

Sign-in, sign-out, session, and account-management routes appear in openapi/openapi.yaml and pass redocly lint.
2

Session middleware on protected routes

Route handlers that read or write vault content reject anonymous requests with a documented error shape.
3

Consent category enforcement

A request that depends on a revoked consent category is rejected before any side effect.
4

Database boundary wired through Hyperdrive

The auth code reads and writes through the intended Hyperdrive binding. No raw connection string is committed.
5

Spec and code move together

This page is updated in the same change as the code that implements the auth surface. Until then, the implementation-status warning at the top of this page remains.
Per AGENTS.md, do not pre-document functionality that does not yet exist. The acceptance criteria above are the test for when this page should be downgraded from “intended” to “live”. Until all five criteria pass, the warning stays.

Reference materials

The Better Auth vendor snapshot lives in the canonical Clay repository at docs/vendor/better-auth/llms.txt (and per-page Markdown in docs/vendor/better-auth/docs/). It is refreshed from the official https://better-auth.com/llms.txt source and tracked by docs/vendor/manifest.json. Treat the snapshot as offline reference material, not as the authoritative source — the official Better Auth documentation is canonical when the two disagree. See the root AGENTS.md for the refresh workflow.

Consent

The translated-signals rule and the consent categories auth must respect.

Backend overview

The Hono + OpenAPI layout auth will plug into.

Architecture

The intended Hyperdrive boundary and Worker runtime auth will share.

CI and local validation

The scripts that gate the auth code change once it lands.