Overview

Every multi-app stack eventually faces the same fork in the road: duplicate login screens and divergent user records, or a single front door that every product agrees to respect. Auth is Dark Avian Labs’ answer to that fork.

Auth is the shared authentication and authorization service for the ecosystem. It owns the boring truth: who the user is, whether their session is still valid, and which applications they are allowed to open. Client apps - Armory, Codex, and anything you add later - stay focused on their own domains while Auth stays focused on identity, sessions, and access control.

The implementation matches the philosophy: a compact Express + React application backed by a central SQLite database that acts as the system of record for user-related data. Sessions are first-class citizens, not an afterthought bolted onto each repo. Cookie strategy is designed around a shared apex domain so “log in once, wander the subdomains” remains achievable without inventing a bespoke token dance for every new microsite.

Auth also carries the operational knobs product owners rarely see until launch week: rate limits for sensitive routes, sane defaults for secure cookies in production, and environment-driven wiring for BASE_DOMAIN, subdomains, and the comma-separated APP_LIST that declares which app ids are recognized at the edge.

If Armory is the workshop and Codex is the shelf, Auth is the keyring. It will never be the screenshot on the marketing page, and that is exactly why it deserves careful engineering: when Auth is boring, everything else gets to be interesting.