Quickstart

The Northwind Tasks showcase

A live, end-to-end demo of every Authio platform feature on a single B2B SaaS — and how to read its source so you can copy the patterns.

Northwind Tasks is a fictional project tracker we built end-to-end on Authio. It’s a real, deployed Next.js app whose only purpose is to exercise every Authio surface a real B2B SaaS would touch — passwordless sign-in, multi-org sessions, FGA decisions, Admin Portal SSO, audit log, recovery codes, step-up auth, billing.

Open the live demo → · GitHub source →

Why a separate repo: we deliberately keep the demo isolated from the Authio platform repos so the source is small enough to read in a single sitting. The auth flows, BFF patterns, and FGA-permission UI are the only thing worth copying — the task model is intentionally trivial (an in-memory store, no DB).

What it proves

  1. Multi-org switcher — top-bar dropdown with role-per-org context.
  2. Passkey enroll + sign-in via the @authio/nextjs SDK pattern.
  3. Magic-link fallback — same screen, same flow shape.
  4. Social sign-in (Google + Microsoft) via auth-core OAuth.
  5. SAML SSO — Admin Portal token mint + redirect.
  6. Multi-org with different roles per workspace.
  7. FGA view/edit/delete decisions surfaced in the UI.
  8. Audit log — last 50 events from the management-API.
  9. Recovery codes via auth-core.
  10. Step-up auth before a destructive delete.
  11. Custom-domain hint for branded sign-in.
  12. Billing surface from authio_billing.

Code to read

The demo follows the same BFF pattern we recommend for any Next.js relying-party. Start with these files:

To learnRead
How to verify Authio JWTs server-sidelib/jwt.ts — mirrors @authio/nextjs/server verifyToken
How to call auth-core from a BFFapp/api/auth/passkey/login/options/route.ts and the rest of app/api/auth/*
How to resolve the active org per requestlib/session.ts + lib/org-context.ts
How to call FGA from a Server Componentlib/fga.ts + usage in app/(main)/app/[orgSlug]/projects/[id]/page.tsx
How to launch the Admin Portalapp/(main)/app/[orgSlug]/settings/sso/page.tsx
How to wire step-up auth into a Server Actionapp/api/orgs/delete/route.ts + app/(main)/app/[orgSlug]/settings/danger/DeleteOrgButton.tsx
How to embed the audit logapp/(main)/app/[orgSlug]/audit/page.tsx
How to read live billing for a tenantlib/billing.ts + app/(main)/app/[orgSlug]/settings/billing/page.tsx
How to bootstrap a fresh Authio tenant idempotentlyscripts/seed.ts

Walking through the demo

  1. Land on / — public marketing splash. Notice the tiny “Built on Authio” badge in the bottom-right; that badge is on every page of the app.
  2. Click “Try it live” — drops you on the sign-in page with passkey, magic-link, social, and SAML options. The cleanest demo flow is “Sign up” tab → enter any email → enroll a passkey. You’re signed in within a second.
  3. You land in Acme Corp — the BFF auto-adds new users to all three demo workspaces with different roles. The top-bar org switcher shows them all.
  4. Open a project — see three permission badges (view/edit/delete) with the exact FGA tuple that resolved each decision.
  5. Switch to Initech (viewer role) — same project UI but now edit is denied. The FGA reasoning is shown inline.
  6. Settings → SSO → Configure SSO — bounces you to the live Admin Portal with a one-time token.
  7. Settings → Danger zone → Delete — type the workspace name and click. The destructive action triggers a fresh passkey assertion (step-up) before the management-API call runs.

Clone and customize

The README in the demo repo documents every env var and the bootstrap commands we ran to create the Northwind tenant + FGA store + seed data. Clone it, change the tenant name + accent color in app/globals.css, point the env vars at your own Authio project, and you have a starting point for dogfooding the platform inside your own app.

tcast/authio_demo-northwind on GitHub