Skip to main content
Overlay authentication has three independent layers:
  1. Session backend — WorkOS or Better Auth owns the browser session.
  2. Identity protocol — the private deployment currently uses OpenID Connect (OIDC).
  3. Provider recipe — Google Workspace, Auth0, Entra ID, or a generic OIDC provider supplies identities.
Keeping these layers separate prevents provider-specific assumptions from leaking into the application. Overlay consumes one normalized session and user contract after login.

Supported combinations

Better Auth and WorkOS identities are intentionally separate. Matching email addresses do not merge accounts, chats, settings, or billing data.
Use Better Auth + OIDC + Google Workspace when the customer already manages staff accounts in Google Workspace. Overlay stores its own sessions in Postgres while Google remains the identity authority.
Start with: Use Auth0 only when Auth0 is the approved identity broker. Use Generic OIDC for Cognito, Okta, and Keycloak.