Authentication
Login method
Percus uses Google OAuth 2.0 as the sole authentication provider, managed through NextAuth.js 5. There are no username/password credentials — all authentication is delegated to Google's identity infrastructure.
This means:
- Percus never stores or handles passwords.
- Password breach exposure does not apply to Percus accounts.
- Multi-factor authentication is controlled at the Google account level.
Session management
After a successful Google login, NextAuth.js issues a JWT session token stored in an HTTP-only, secure cookie. The token carries:
| Claim | Description |
|---|---|
sub | User ID (Percus internal UUID) |
email | User's Google email |
org_roles | Map of organizationId → role for all orgs the user belongs to |
system_role | "Owner" for Percus platform admins; absent for all other users |
The session token is validated on every request. Role changes take effect on the next request after the session is refreshed.
Invitation-based onboarding
Users cannot self-register. Access to an organization is granted only through an explicit invitation issued by an OrganizationAdmin. The invited user authenticates with their Google account and is associated with the role assigned at invitation time.
What Percus does not handle
| Concern | Who handles it |
|---|---|
| Password strength and rotation | Google (not applicable — no passwords) |
| MFA enforcement | Google Workspace admin or individual Google account settings |
| SSO policy (e.g. force company Google account) | Client's Google Workspace admin |
| Session duration policy | NextAuth.js configuration (platform-controlled) |