Shared auth surface
Sign-in, recovery, and password setup live in one neutral place. After authentication, the platform can safely resolve the user into the correct internal or tenant experience.
Onboarding
Invite-led access only. No public self-signup.
Recovery
Forgot password and set-password flows are now browser-real.
Boundary
Supabase Auth handles identity; business data stays behind NestJS.
Request a new password link for an invited Plan2Yield account. This keeps onboarding aligned with invite-led access rather than public signup.