Startup Sequence

The startup sequence is engineered around a single constraint: the user must see a rendered UI immediately. Auth revalidation and sync catch-up happen concurrently in the background — never on the critical path to first paint.

1 2 3 4 5 App launch Open cached auth identity AND local Zero DB — parallel concurrent open Render immediately Last navigation state No spinner. Instant. instant render Revalidate auth Better Auth session check in background background Refresh sync creds Without recreating Zero storage in background background Account switch Isolate by userId apply deletion policy Launch Background operations

Better Auth Owns

Better Auth is the identity provider and session manager. Nothing outside this list is Better Auth's concern — all product data is Boja's responsibility.


Boja Owns

Everything that has product meaning lives in Boja's own tables. Better Auth knows nothing about these entities — there is no mirroring or synchronization.


Critical Boundary

Do Not Use Better Auth Organization Plugin as Product Source of Truth

Better Auth's Organization plugin provides rows for organizations, memberships, roles, and invitations. These rows are NOT canonical for Boja's product servers, memberships, invitations, owners, or roles. App tables own those records. Duplicating them into auth-owned tables creates authorization drift: two sources of truth that diverge under partial failures, migrations, and role changes. The Organization plugin is not used for any product authorization decision.


Security Posture

Surface Approach
Web sessions HttpOnly secure cookies. No localStorage bearer tokens. SameSite=Strict. Tokens never accessible to JavaScript.
Native sessions Expo SecureStore / iOS Keychain-backed encrypted storage. Session token is never stored in plain AsyncStorage.
Service JWTs Short-lived tokens (minutes, not hours). JWKS rotation. Used for native sync client authentication and service-to-service calls. Never long-lived API keys in environment variables.
OAuth Standard PKCE flow. State parameter validated server-side. Redirect URIs pinned to registered origins.
SSO / SCIM Deferred until required. Not in v1 plugin surface. Better Auth plugin interface owns it when enabled; no custom SAML/SCIM code in v1.

Startup Invariants

Cold Offline Launch

Cold offline launch renders cached state immediately. No network request is on the critical path to first paint. The Better Auth session cache and the Zero local replica are opened concurrently; whichever completes first unblocks its dependent work, but neither blocks the initial UI render.

No Global sessionPending Spinner

No component may render a global "session loading" spinner that blocks the entire app. Auth state is revalidated in the background. Components that require a confirmed authenticated session show skeleton states or degrade gracefully — they do not block the navigation shell from rendering.


Research Links

Better Auth Evaluation (doc 04) → Final Recommendation (doc 00) →