auth.signIn({ provider: 'aguilabs' }) → rls.enforce({ tenant: customer_id }) → session.validate({ scope: 'network' }) → data.isolate({ policy: 'strict-rls' }) → auth.signIn({ provider: 'aguilabs' }) → rls.enforce({ tenant: customer_id }) → session.validate({ scope: 'network' }) → data.isolate({ policy: 'strict-rls' }) →

Infrastructure

The AguilabsNetwork

One login. Every app you build on Aguilabs. Your customers sign up once and they're in everywhere — forever.

What is the Aguilabs Network?

Every application built by Aguilabs runs on a shared authentication backbone — the Aguilabs Network. When a customer logs into one of your apps, their credentials work across all of them.

Think of it as a private SSO ecosystem for your business portfolio. One account. Multiple products. Zero re-registration.

For businesses on Starter and Growth plans, this is shared auth. Pro plans can add a dedicated namespace. Enterprise includes fully dedicated auth infrastructure by default.

Example: bakery client
1

Customer visits bakery website

Signs up with email → Aguilabs account created

2

Owner adds an online ordering app later

Same Aguilabs account — customer already has access

3

Owner adds a loyalty program app

Still same login. Zero friction for customer.

One account · Three apps · Zero re-registration

Shared auth. Isolated data.

The most common question: "If auth is shared, can other businesses see my data?" No. Here's exactly why.

RLS

Row-Level Security

Every database table enforces a tenant check. Even if two businesses share an auth system, queries are filtered to return only that business's data. This is enforced at the database level — not just the application layer.

FN

Tenant Resolution

A database function resolves the logged-in user to their specific tenant ID on every request. All isolation policies reference this function, ensuring no query can cross tenant boundaries.

ISO

Zero Cross-Visibility

Business A's customer cannot see Business B's data — even if they share the same Aguilabs login. The isolation is absolute and database-enforced, not just hidden in the UI.

Technical Implementation
-- Auth: shared network auth (single namespace, all Aguilabs apps)
-- Tenant resolution: every request resolves to an isolated business context
-- Identity binding: user identity linked 1:1 to a tenant profile
-- Isolation: row-level policies enforced on every table, every query
-- Scope: projects, milestones, messages, assets, notifications, invoices
-- Dedicated auth: separate auth infrastructure per tenant (Pro add-on / Enterprise)

Auth models by plan

Start shared, upgrade to dedicated as your business scales.

STR

Shared Network Auth

Starter / Growth

Starter and Growth plans. Your app shares the Aguilabs Network auth namespace. Users log in with one Aguilabs account across all Aguilabs-powered apps. Data stays completely isolated per business.

Included
PRO

Dedicated Auth (Add-on)

Pro add-on

Pro plan add-on. A separate auth namespace provisioned exclusively for your app. Your users' accounts live in your own auth silo — no shared namespace. Same data model, fully separate identity infrastructure.

+$20/mo
ENT

Dedicated Auth (Included)

Enterprise

Enterprise plans include fully dedicated auth infrastructure. Separate auth namespace, fully white-labeled. Your brand, your platform, your users.

Included

Questions

Ready to build on the Network?

Every Aguilabs project is Network-ready from day one.

View Plans Start Your Project