Rosewood access

Compatible Systems ID for house operations.

Use the house identity provider to reach bookings, room release controls, owner blocks, house users, and the agent inbox. Passkeys remain available for local-device fallback access.

Invited Rosewood house users only

Compatible Systems ID is primary

Platform passkeys stay available as a fallback

Admin dashboard remains gated after sign-in

Identity plan

Get the right person into admin.

Access packet is ready to copy.

IDP group required

Authentik group membership syncs the local Better Auth admin role on sign-in.

House admins

Conrad, Jessica, and Sarah are members of the Rosewood house-admin group.

Passkey fallback

Passkeys still work for local-device access when the IDP path is not convenient.

Open admin

After sign-in, bookings, users, rooms, and house-agent requests remain admin gated.

Use this packet when inviting Jessica, Sarah, the house manager, or another Rosewood operator.

Better Auth

Register or sign in

Authentik

WebAuthnChecking

Conditional UIChecking

Secure contextChecking

OriginChecking origin

RP IDChecking RP ID

Passkey-first contract

Invite, register, then manage admin access.

Registration context is ready.

Registration contextconrad@rosewood.local

Sent to Better Auth as passkey context so resolveUser can match an invited Rosewood house user.

Session ruleregistration.requireSession=false

The server allows passkey-first onboarding before a session exists.

Conditional UImanual prompt fallback

The input keeps webauthn as the final autocomplete token, then conditional UI can preload.

Origin and RP IDChecking origin / Checking RP ID

Localhost is valid for local WebAuthn development before Rosewood is published.

Launch runbook

Keep migration, registration, and admin access in order.

Schema runbookuser, session, verification, passkey

Run bun run auth:migrate, then bun run db:seed before first registration.

Passkey tablecredential + authenticator metadata

Better Auth stores credentialID, publicKey, aaguid, backup state, transports, and counter.

Register then sign inSign-in required after registration

Registering creates the credential; signing in creates the session that unlocks admin.

Admin unlock checklist

Make sure the handoff can reach operations.

Admin unlock checklist is ready.

Invite emailReadyconrad@rosewood.local

The typed address is passed as Better Auth passkey context and must match a Rosewood invite.

Device checkCheckingPasskey prompt fallback

This browser can use WebAuthn on localhost before the Rosewood site is published.

SessionSign-in requiredNo active session

DestinationLocked/admin

After sign-in, Rosewood admin opens to users, bookings, rooms, and house-agent requests.

Invited admin emailOpen admin

Checking auth session...

Registered passkeys

Credential shelf

No registered passkeys to show yet.