PAY-799Overduevendor

Choose auth provider for internal tools

Internal tools auth has been a Frankenstein of cookies + a homegrown JWT for 14 months. Stack Auth was deployed two sprints ago for the new admin surface and is already serving 8 employees. Decision must land before the SOC2 audit window opens.

Decider

@kai → escalated to @jun

overdue 6d

OVR

Drafted memo

We need a single auth surface across admin, billing-ops and the new payments dashboard.

Stack Auth is already in production for one tool, costs $0, and the team owns the deployment.

Clerk would save ~3 dev-days but adds a vendor dependency for SOC2 evidence collection.

Recommendation: standardise on Stack Auth, fold the existing admin under it this week.

Options

Stack Auth — self-host, already deployed

8 users on it today; zero new infra; we own the keys

Recommended

cost: 0.5 dev-week to migrate the admin tool

Clerk — hosted

Faster to wire SSO + MFA out of the box

cost: $0–$99/mo + new vendor in SOC2 scope

Keep current Frankenstein auth

Lowest short-term effort

cost: Audit risk; cannot pass SOC2 control AC-3 as-is

When you ship Cloud, deciders pick from Slack or here. The decision is committed back as a memo under .crastinating/decisions/.