e2b-dev · ben-fornefeld · May 25, 2026 · May 25, 2026 · May 25, 2026 · May 26, 2026
@@ -24,8 +24,28 @@ NEXT_PUBLIC_SUPABASE_ANON_KEY=your_supabase_anon_key
 ### Auth provider: supabase (default) or ory
 # AUTH_PROVIDER=supabase
 
-### Ory Network SDK URL (required when AUTH_PROVIDER=ory)
+### Ory Network configuration (required when AUTH_PROVIDER=ory)
+### SDK URL of the Ory Network project (or custom domain like https://auth.e2b.dev)
 # ORY_SDK_URL=https://your-project.projects.oryapis.com
+### OAuth2 client credentials issued by Ory for this dashboard deployment
+# ORY_OAUTH2_CLIENT_ID=
+# ORY_OAUTH2_CLIENT_SECRET=
+### Access-token audience requested from Ory. Must match infra AUTH_PROVIDER_CONFIG.jwt[].issuer.audiences.
+# ORY_OAUTH2_AUDIENCE=https://api.e2b.dev
+### Ory project admin API token used by oryAuthAdmin (IdentityApi lookups)
+# ORY_PROJECT_API_TOKEN=
+### Dashboard API admin token used to bootstrap newly signed-in Ory users
+# DASHBOARD_API_ADMIN_TOKEN=
+
+### Auth.js configuration (required when AUTH_PROVIDER=ory)
+### Generate with `npx auth secret` or `openssl rand -hex 32`. Used to encrypt the JWT session cookie.
+# AUTH_SECRET=
+### Set to 1 outside Vercel-hosted production to allow Auth.js to trust the Host header
+# AUTH_TRUST_HOST=1
+
+### Legacy Supabase bootstrap fallback used by dashboard route team resolution.
+### Ory sign-in bootstrap does not depend on this flag.
+# ENABLE_USER_BOOTSTRAP=0
 
 ### Billing API URL (Required if NEXT_PUBLIC_INCLUDE_BILLING=1)
 # BILLING_API_URL=https://billing.e2b.dev
@@ -84,3 +104,7 @@ NEXT_PUBLIC_SUPABASE_ANON_KEY=your_supabase_anon_key
 
 ### Set to 1 to enable verbose logging
 # NEXT_PUBLIC_VERBOSE=0
+
+### Set to 1 to pause new sign-ups during auth migration.
+### Existing users can still sign in and invite team members.
+# NEXT_PUBLIC_AUTH_MIGRATION_IN_PROGRESS=0
@@ -0,0 +1,2 @@
+spec/openapi.dashboard-api.yaml linguist-generated=true
+src/core/shared/contracts/dashboard-api.types.ts linguist-generated=true
@@ -60,6 +60,7 @@
     "@opentelemetry/sdk-metrics": "^2.0.1",
     "@opentelemetry/sdk-node": "^0.203.0",
     "@opentelemetry/semantic-conventions": "^1.36.0",
+    "@ory/client-fetch": "^1.22.37",
     "@radix-ui/react-avatar": "^1.1.4",
     "@radix-ui/react-checkbox": "^1.3.3",
     "@radix-ui/react-dialog": "^1.1.15",
@@ -111,6 +112,7 @@
     "motion": "^12.23.25",
     "nanoid": "^5.0.9",
     "next": "^16.2.6",
+    "next-auth": "^5.0.0-beta.31",
     "next-safe-action": "^8.0.11",
     "next-themes": "^0.4.6",
     "nuqs": "^2.7.0",

@@ -58,5 +58,25 @@ const schema = serverSchema
       path: ['PLAIN_API_KEY'],
     }
   )
+  .refine(
+    (data) => {
+      if (data.AUTH_PROVIDER !== 'ory') return true
+
+      return Boolean(
+        data.AUTH_SECRET &&
+          data.ORY_SDK_URL &&
+          data.ORY_OAUTH2_CLIENT_ID &&
+          data.ORY_OAUTH2_CLIENT_SECRET &&
+          data.ORY_OAUTH2_AUDIENCE &&
+          data.ORY_PROJECT_API_TOKEN &&
+          data.DASHBOARD_API_ADMIN_TOKEN
+      )
+    },
+    {
+      message:
+        'AUTH_PROVIDER=ory requires AUTH_SECRET, ORY_SDK_URL, ORY_OAUTH2_CLIENT_ID, ORY_OAUTH2_CLIENT_SECRET, ORY_OAUTH2_AUDIENCE, ORY_PROJECT_API_TOKEN, and DASHBOARD_API_ADMIN_TOKEN',
+      path: ['AUTH_PROVIDER'],
+    }
+  )
 
 validateEnv(schema)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		spec/openapi.dashboard-api.yaml linguist-generated=true
		src/core/shared/contracts/dashboard-api.types.ts linguist-generated=true