> For clean Markdown of any page, append .md to the page URL.
> For a complete documentation index, see https://docs.panicly.lol/llms.txt.
> For full documentation content, see https://docs.panicly.lol/llms-full.txt.
> For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://docs.panicly.lol/_mcp/server.

# Auth and workspace model

The main Panicly web app uses WorkOS for identity and sealed cookie sessions. The chatbot app uses a separate NextAuth and guest-session model.

OAuth and identity provider for the main web/dashboard app.

Sealed cookie session, not a database-backed session.

Includes `userId`, `workosUserId`, `organizationId`, `email`, and `accessToken`.

The chatbot has its own NextAuth credentials flow, guest sessions, route protection, and persistence. Do not merge it into the dashboard auth story.

## Workspace roles

Workspace ownership is inferred from insertion order: the earliest organization user row is treated as owner and later rows as members.

Owner-only writes include billing, provider keys, API key management, workspace controls, project creation, and onboarding completion.

Only the workspace owner can manage billing, secrets, keys, and workspace controls.

## Web auth routes

```txt title="apps/web/src/app/api/auth"
login/route.ts
logout/route.ts
redirect/route.ts
callback/route.ts
session/route.ts
```

## Bootstrap behavior

The web auth callback can seal a bootstrap session and redirect to `/onboarding?setup=database` when Supabase schema or network access is unavailable.