Secure sign-in

Provider-first sign-in for the web app, with one auth layer behind every surface.

These routes now run on Better Auth. Microsoft and Google start on the canonical app subdomain, email OTP is available as the passwordless fallback, password sign-in and password account creation share one continuation flow, browser sessions stay cookie-based, and the same auth layer can expose bearer tokens to future API clients on the `api.` subdomain.

Continue to Manoa

Start with the fastest route into your workspace, then continue to /app.

Already added a passkey?

Use the device-backed passkey you enrolled after a previous sign-in.

Continue with Microsoft Continue with Google

Social sign-in is not configured in this environment yet, so email and password remain the active fallback.

Email me a code

Use a one-time sign-in code instead of a password. If this is your first visit, Manoa can create your account after the code is verified.

Use the existing password on your account when you want a direct fallback.

Password sign-in and password account creation now share this route, so profile details can wait until after the first successful login.

Local development is using in-memory auth storage because DATABASE_URL is not set. Restarting the server clears local accounts and sessions.

Protected routes redirect here using /sign-in?next=%2Fapp.