Deep Dive - Authentication Architecture
Designing scalable, secure auth for a 1M+ DAU dev tool
OAuth 2.0 / OIDC fundamentals
After this you can explain the flows and pick the right one for a given client.
The Cursor JD leads with authentication. An EM for Core Services is expected to reach for the right OAuth flow without thinking, then explain the trade-off out loud while a peer pokes holes in it.
Start by separating two specs that interviewers love to conflate. OAuth 2.0 is an authorization framework: it answers "can this client act on this resource on the user's behalf," and it hands back access tokens. OIDCOpenID Connect. A modern standard that powers single sign-on, built on OAuth. is a thin identity layer on top of OAuth that adds an ID token - a signed JWT that says "this is who the user is." You ask OAuth for permission to call an API; you ask OIDC who just logged in.
Flow selection is a function of one question: can the client keep a secret? A backend service can. A desktop editor or a single-page app cannot, because anything shipped to a user's machine can be extracted.
- Client type
- Cursor desktop editor, web SPA
- Flow
- Authorization Code + PKCE
- Why
- Public client, no secret; PKCE binds the code to the requester so a stolen code is useless
- Client type
- Service-to-service (Core Services → internal API)
- Flow
- Client Credentials
- Why
- No human in the loop; the service authenticates as itself with a real secret
- Client type
- Headless / CLI / SSH box
- Flow
- Device Authorization
- Why
- No browser on the device; the user approves on a phone or laptop via a short code
- Client type
- Enterprise workforce login
- Flow
- OIDCOpenID Connect. A modern standard that powers single sign-on, built on OAuth. / SAMLAn enterprise standard that powers single sign-on. to the customer IdP
- Why
- The org owns identity; Cursor federates rather than holding passwords
| Client type | Flow | Why |
|---|---|---|
| Cursor desktop editor, web SPA | Authorization Code + PKCE | Public client, no secret; PKCE binds the code to the requester so a stolen code is useless |
| Service-to-service (Core Services → internal API) | Client Credentials | No human in the loop; the service authenticates as itself with a real secret |
| Headless / CLI / SSH box | Device Authorization | No browser on the device; the user approves on a phone or laptop via a short code |
| Enterprise workforce login | OIDCOpenID Connect. A modern standard that powers single sign-on, built on OAuth. / SAMLAn enterprise standard that powers single sign-on. to the customer IdP | The org owns identity; Cursor federates rather than holding passwords |
Pick by who holds the secret and whether a browser is present.
Why PKCE and why not implicitthe public-client story
Cursor's editor is a native app that talks to backend services and to SCM providers like GitHub. It has no safe place to store a client secret, so it uses Authorization Code + PKCE. The client generates a random code_verifier, sends its SHA-256 hash (code_challenge) on the authorize request, then proves possession of the verifier when redeeming the code. An attacker who intercepts the authorization code on the redirect cannot exchange it without the verifier.
code_verifier = random(64) // kept in memory on the client
code_challenge = base64url(sha256(code_verifier))
// 1. authorize: ?code_challenge=...&code_challenge_method=S256
// 2. user logs in -> redirect back with ?code=...
// 3. token: POST { code, code_verifier } // server recomputes the hashThe implicit flow returned tokens straight in the redirect URL fragment, where they leaked into browser history, referrer headers and logs. It is deprecated; PKCE replaced it for browser clients. If an interviewer asks why you avoided implicit, that is the whole answer and naming it signals you track the spec rather than copying a 2016 tutorial.
Constraining blast radiusredirect URIs and scopes
- Exact-match redirect URIs. Register the precise callback; reject wildcards and open redirects. A loose redirect turns PKCE's protection into theater because the code goes to the attacker's URL.
- Least-privilege scopes. A token that can only read one repo is a smaller breach than one that can write to every org the user belongs to. Scope is your blast-radius dial.
- `state` parameter. A random, verified
stateties the callback to the request you started and blocks CSRF on the redirect.
Where enterprise SSO and SCIM fitthe B2B reality
Enterprise buyers will not let Cursor own their employees' passwords. They federate: the user logs in at their own IdP (Okta, Entra, Google Workspace) over OIDCOpenID Connect. A modern standard that powers single sign-on, built on OAuth. or SAMLAn enterprise standard that powers single sign-on. and Cursor trusts the assertion. SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. runs alongside as the provisioning channel - when HR deboards someone, SCIM deprovisions the Cursor account automatically rather than waiting for a token to expire.
- Authorization
- OAuth 2.0 - access tokens to call APIs
- Authentication (consumer)
- OIDCOpenID Connect. A modern standard that powers single sign-on, built on OAuth. - ID token, who the user is
- Authentication (enterprise)
- SAMLAn enterprise standard that powers single sign-on. or OIDCOpenID Connect. A modern standard that powers single sign-on, built on OAuth. federation to the customer IdP
- Lifecycle / provisioning
- SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. - create and deprovision accounts in sync with the org
Interactive diagram. Tab through its regions; each focused region shows its detail in the panel below.
Each layer rests on the one below - OIDC is a thin identity layer on top of OAuth, not a replacement for it.
When asked to "design login for the editor," answer the flow question before you draw anything: "It's a public native client, so Authorization Code with PKCE - no client secret to leak and PKCE kills code interception." That one sentence tells the panel you have the reflex they screen for and it earns you room to design the rest.
Don't say "we'll use OAuth to log users in." OAuth is authorization; login is OIDCOpenID Connect. A modern standard that powers single sign-on, built on OAuth.'s job. Mixing them is the single most common tell that someone learned auth from copy-paste rather than from running it in production.
Takeaway. Pick the flow by who can hold a secret: Code+PKCE for the editor and SPAs, client credentials for services, device flow for headless - and keep OAuth (authorization) distinct from OIDCOpenID Connect. A modern standard that powers single sign-on, built on OAuth. (identity).
Self-check
QYou're designing login for the Cursor desktop editor. Which flow and why that one over the alternatives?
JWT vs sessions and the pitfalls
After this you can choose a token strategy and defend its trade-offs.
This is where interviewers find out whether you have the "strong opinions on reliability and performance" the JD asks for. The JWT-versus-session decision is a tax you pay on every single request at 1M+ DAU.
The core tension is stated in one line: JWTs are stateless and verify locally, so they scale beautifully, but you cannot easily un-issue one before it expires. Server-side sessions revoke instantly, because the truth lives in your store, but every request pays a lookup.
- Property
- Verify a request
- JWT (self-contained)
- Local signature check, no DB hit
- Server-side session
- Lookup in session store every request
- Property
- Revoke before expiry
- JWT (self-contained)
- Hard - token is valid until it isn't
- Server-side session
- Instant - delete the row
- Property
- Scale / hot path
- JWT (self-contained)
- Cheap, stateless, edge-friendly
- Server-side session
- Needs a fast, replicated store (Redis)
- Property
- Carries claims
- JWT (self-contained)
- Yes - roles, org, scopes travel in the token
- Server-side session
- Indirect - session id points at server state
- Property
- Blast radius if signing key leaks
- JWT (self-contained)
- Catastrophic - forge any token
- Server-side session
- Lower - still need a valid session row
| Property | JWT (self-contained) | Server-side session |
|---|---|---|
| Verify a request | Local signature check, no DB hit | Lookup in session store every request |
| Revoke before expiry | Hard - token is valid until it isn't | Instant - delete the row |
| Scale / hot path | Cheap, stateless, edge-friendly | Needs a fast, replicated store (Redis) |
| Carries claims | Yes - roles, org, scopes travel in the token | Indirect - session id points at server state |
| Blast radius if signing key leaks | Catastrophic - forge any token | Lower - still need a valid session row |
The whole debate in five rows. There is no free option, only a trade you can defend.
Interactive diagram. Tab through its regions; each focused region shows its detail in the panel below.
Step each dimension to see which side wins it - and why production ships a blend of the two.
The compromise everyone actually shipsshort access + long refresh
Production auth rarely picks a pure side. The standard pattern: a short-lived access JWT (5–15 minutes) for the hot path, a long-lived refresh token (days to weeks) held more carefully and a revocation check that runs only at refresh time.
- 1Issue. On login, mint an access JWT (~10 min) plus a refresh token tied to a server record.
- 2Serve. Verify the access JWT locally on every request - no DB hit, this is the throughput win.
- 3Refresh. When it expires, the client trades the refresh token for a new access JWT; this is the moment you check revocation and a
token_version. - 4Revoke. Bump the user's
token_versionor delete the refresh record; within one access-token TTL, all their tokens stop refreshing.
That token_version (or session_epoch) column is the trick that buys you near-instant revocation without paying for a lookup on every request. You accept a bounded staleness window equal to the access-token lifetime - make it short and that window is minutes, not days.
JWT failure modes to name unpromptedthe security-credibility checklist
A token claims it's unsigned and a naive verifier accepts it.
Pin the expected algorithm server-side; never trust the token's own alg header.
RS256 token re-signed as HS256 using the public key as the HMAC secret.
Same fix: hard-code the accepted alg, separate signing from verification keys.
A token minted for service A is replayed against service B.
Validate issuer and audience on every verify, not just the signature.
Stuffing every permission into the JWT bloats every request header.
Keep claims minimal; resolve fine-grained authz server-side.
Two more that bite at scale: tokens that never set exp and signing keys that are short, hand-rolled or shared across environments. A leaked HS256 secret lets anyone forge tokens for everyone, which is why asymmetric RS256/ES256 with a private signing key is the default at a 1M-user tool.
"I'd use short-lived access JWTs for the hot path so most requests verify locally and stay cheap, with refresh tokens and a token-version check for revocation. The cost is a bounded staleness window - about one access-token TTL - and I'd keep that under fifteen minutes so a compromised account can't stay live for long."
At 1M+ DAU, pure server-side sessions put a store lookup on every request, so that store becomes a single point of failure for the whole product. If Redis hiccups, nobody can do anything. Stateless JWT verification degrades gracefully because it needs no external call to authenticate - that's a reliability argument, not just a performance one and it's the framing Cursor wants from a Core Services EM.
Takeaway. Ship short-lived access JWTs (cheap local verify) plus refresh tokens and a token_version check (cheap revocation); you trade a bounded staleness window for not hitting a store on every request.
Self-check
QA teammate argues for pure stateless JWTs with no refresh tokens and a 24-hour expiry, "because it scales." What's the reliability and security problem and what would you propose instead?
RBAC and authorization modeling
After this you can model permissions for users, orgs and machine clients.
Authentication proves who is calling. Authorization decides what they're allowed to do. The JD's auth ownership is mostly the second one and it's where B2B dev-tool design gets genuinely hard.
Keep the two layers clean. The access token tells you the principal; a separate, centralized authorization decision tells you whether that principal may read this repo or invite that member. Bleeding authz logic into every service is how a flat org ends up with seven inconsistent permission checks and a security incident.
RBAC for a B2B toolthe org / team / role spine
Cursor is sold to organizations, so the model has tenancy baked in. A user belongs to one or more orgs; an org has teams; roles attach at the org or team level and grant permissions.
- Org Owner
- Billing, SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool. config, delete org, manage all members
- Org Admin
- Manage members and teams, set policies, no billing
- Member
- Use the product, access assigned repos and teams
- Service account
- Machine principal with its own narrow scopes, no human login
Roles are coarse and few. Fine-grained access comes from the resource layer below.
Where pure RBAC breaks: resource-level accessand why ReBAC enters
Roles answer org-wide questions well and resource-specific questions badly. "Can Maya read repo X" is not a role - it's a relationship between a user and one resource and modeling every such grant as a role explodes into role sprawl. This is the case for ReBAC (relationship-based access control), the Google Zanzibar model behind tools like SpiceDB and OpenFGA.
- Model
- RBACRole-Based Access Control. Granting permissions by role rather than configuring each person individually.
- Good at
- Coarse org-wide capability (admin vs member)
- Weak at
- Per-resource sharing, exploding role counts
- Use it for
- Org/team roles, billing, policy
- Model
- ReBAC (Zanzibar)
- Good at
- "user X relates to resource Y" at scale
- Weak at
- Conceptual overhead, another system to run
- Use it for
- Repo/file/agent-run-level sharing
- Model
- ABAC (attribute)
- Good at
- Conditional rules (region, time, IP)
- Weak at
- Hard to audit, decisions get opaque
- Use it for
- Compliance overlays, residency
| Model | Good at | Weak at | Use it for |
|---|---|---|---|
| RBACRole-Based Access Control. Granting permissions by role rather than configuring each person individually. | Coarse org-wide capability (admin vs member) | Per-resource sharing, exploding role counts | Org/team roles, billing, policy |
| ReBAC (Zanzibar) | "user X relates to resource Y" at scale | Conceptual overhead, another system to run | Repo/file/agent-run-level sharing |
| ABAC (attribute) | Conditional rules (region, time, IP) | Hard to audit, decisions get opaque | Compliance overlays, residency |
Real systems blend them: RBAC for the spine, ReBAC for resource sharing.
For Cursor specifically, repo and agent-workspace access is the relationship-heavy part, so a Zanzibar-style layer for resource sharing on top of plain RBACRole-Based Access Control. Granting permissions by role rather than configuring each person individually. for org roles is a defensible answer. Frame it as general-industry practice - you don't need to claim Cursor runs OpenFGA, only that the resource-sharing shape calls for ReBAC thinking.
Machine clients, scopes and auditthe parts juniors forget
- Service accounts get their own role model. A CI bot is not a person with a person's role; give it a machine principal with least-privilege scopes and no interactive session.
- Token scopes enforce least privilege per-credential. Even an admin's token, when minted for a read-only task, should carry read-only scope. Scope narrows the breach when a single token leaks.
- The authz path must be fast and centralized. A check on every product surface that disagrees with the others is a contract bug; a shared decision service (or shared library + cache) is the fix and it's a service-contract problem, not a feature.
- Audit every authz decision. "Who accessed what, when and was it allowed" is both an incident-response tool and a hard requirement in enterprise security reviews. Logging only denials is not enough; sales will ask for the allows too.
When the design veers into per-repo sharing, say the word "Zanzibar" and explain the shape: "RBACRole-Based Access Control. Granting permissions by role rather than configuring each person individually. handles org roles, but repo-level sharing is relationship data - user relates to repo as viewer - which is what ReBAC systems like SpiceDB model." Naming the pattern and its limits reads as senior; pretending RBAC alone covers per-resource sharing reads as someone who hasn't run a multi-tenant product.
Don't centralize authz into a synchronous service on the request hot path without a caching and fallback story. If the authz service is a hard dependency for every API call and it goes down, you've coupled all of product reliability to one box. Cache decisions, set sane TTLs and decide deliberately whether to fail open or closed per surface.
Takeaway. Use RBACRole-Based Access Control. Granting permissions by role rather than configuring each person individually. for the org/team/role spine and a ReBAC (Zanzibar) layer for per-resource sharing; keep authz centralized, scoped least-privilege for machine clients and audited for every decision.
Self-check
QUsers want to share a single repository with one specific teammate. Your model is plain role-based access control. Why is that a poor fit and what do you reach for?
Rotation, revocation & secrets
After this you can design the lifecycle that keeps auth secure over time.
Auth that's secure on launch day and never rotates a key is auth waiting for a breach. The lifecycle - keys, refresh tokens, secrets and a breach plan - is what separates an EM who has operated auth from one who has only diagrammed it.
Key rotation with overlapping validityJWKS and the kid header
You rotate signing keys regularly, but you can't flip them atomically across a fleet - tokens signed with the old key are still in flight. The answer is overlap: publish both keys, sign new tokens with the new key and keep verifying old tokens until they age out.
- 1Publish. Expose a JWKS endpoint listing current public keys, each tagged with a
kid(key id). - 2Add the new key. Add key B to JWKS alongside key A; verifiers can now check tokens signed by either.
- 3Cut over signing. Start signing new tokens with key B; the token's
kidheader tells verifiers which to use. - 4Drain. Wait one max token lifetime so every key-A token has expired.
- 5Retire. Remove key A from JWKS. No token in existence references it anymore.
Interactive diagram. Tab through its regions; each focused region shows its detail in the panel below.
The drain step is the gate: you cannot retire the old key until every token signed with it has expired.
The kid header is what makes this integrated - the verifier reads it, fetches the matching key from JWKS and never has to guess. Clients cache JWKS, so set a sane cache TTL and they pick up new keys without a deploy.
Refresh-token rotation with reuse detectioncatching theft
Every time a refresh token is redeemed, issue a new one and invalidate the old. If the old one is ever presented again, you have a problem: either the legitimate client or a thief is replaying it and you can't tell which - so you revoke the whole token family and force re-login.
- Normal redeem
- Old token consumed, new token issued, family chain advances
- Old token reused
- Reuse detected - revoke the entire family, force re-auth
- Result
- A stolen refresh token is good for at most one use before it trips the alarm
Reuse detection turns a silent theft into a loud, self-healing event.
Revocation: pick your latencyimmediacy vs hot-path cost
- Strategy
- Short TTL + token-version check at refresh
- Revocation speed
- Within one access-token TTL
- Hot-path cost
- None on normal requests
- Strategy
- Deny-list of revoked token ids
- Revocation speed
- Immediate
- Hot-path cost
- A lookup (cacheable) per request
- Strategy
- Pure long-lived JWT, no list
- Revocation speed
- Only at expiry
- Hot-path cost
- None - but effectively can't revoke
- Strategy
- Server-side sessions
- Revocation speed
- Immediate
- Hot-path cost
- A store lookup per request
| Strategy | Revocation speed | Hot-path cost |
|---|---|---|
| Short TTL + token-version check at refresh | Within one access-token TTL | None on normal requests |
| Deny-list of revoked token ids | Immediate | A lookup (cacheable) per request |
| Pure long-lived JWT, no list | Only at expiry | None - but effectively can't revoke |
| Server-side sessions | Immediate | A store lookup per request |
There's no zero-cost instant revocation; choose the trade per surface.
For most of Cursor's traffic, short TTLs plus a token_version check are enough. Reserve an immediate deny-list for the high-stakes cases - a confirmed compromised account, an emergency "log this person out now" - where a few minutes of staleness is unacceptable.
Secrets and the breach planthe operational half
- Signing keys never ship to clients. A public client verifies nothing with a private key; it only holds short-lived tokens. Private keys live in a KMS or secrets manager, scoped to the issuing service.
- SCM provider credentials rotate too. The GitHub/GitLab app secrets and webhook signing secrets your integrations depend on are secrets like any other - put them on a rotation schedule and store them in the same vault.
- Know your blast radiusHow much breaks if a change goes wrong; the scope of potential damage. before the breach. Have an answer to "how fast can we invalidate everything and what breaks when we do." Rotating the signing key logs out every user; bumping all token versions does the same. Practice it so the answer in the incident is muscle memory, not a debate.
If asked "a signing key leaked at 2am - what now," walk the runbook: rotate the key via JWKS (overlap so live sessions survive where safe), revoke the family of any tokens you believe compromised, force re-auth for the blast radiusHow much breaks if a change goes wrong; the scope of potential damage. and only then post-mortem how the key escaped. Showing you've thought about the recovery, not just the prevention, is the senior signal.
A sound rotation design answers all four: tokens stay verifiable mid-rollover (JWKS + kid overlap), a stolen refresh token self-destructs (reuse detection), an individual can be revoked fast (short TTL + version or deny-list) and a full invalidation is a known, rehearsed operation. If any one is missing, name it as a gap rather than hoping nobody asks.
Takeaway. Rotate signing keys with overlapping JWKS validity (kid header), rotate refresh tokens with reuse detection, pick revocation latency per surface and rehearse the "invalidate everything" path before you need it.
Self-check
QWhy publish a JWKS endpoint with kid headers instead of just hard-coding the current signing key in every verifier?
Design exercise: secure the editor
After this you can run an end-to-end auth design you can present in the loop.
Time to assemble the pieces into one design you can present and defend. This is the shape the system-design deep-dive takes and rehearsing it end to end is how you walk in with a structure instead of improvising under pressure.
"Design authentication for the Cursor editor: a native desktop app connecting a million-plus daily users to our backend services and to SCM providers like GitHub, with org-level access control. Walk me through it."
Open by restating constraints and naming the flow, so the panel knows you've placed the problem: public native client, 1M+ DAU, auth on every request, multi-tenant orgs, third-party SCM. Then march through the lifecycle.
- 1Login. Authorization Code + PKCE in the system browser; exact-match redirect,
statefor CSRF, least-privilege scopes. Enterprise tenants federate to their IdP over OIDCOpenID Connect. A modern standard that powers single sign-on, built on OAuth./SAMLAn enterprise standard that powers single sign-on.. - 2Issuance & storage. Mint a short-lived access JWT (~10 min, RS256) plus a refresh token. Store tokens in the OS secure storage (Keychain / Credential Manager / libsecret), never plaintext on disk.
- 3Serve requests. Verify the access JWT locally on the hot path - no per-request DB hit. Claims carry user id, org and coarse role.
- 4Refresh & revoke. Rotate refresh tokens with reuse detection; check
token_versionat refresh so revocation lands within one access TTL. Keep a deny-list for emergency log-out-now. - 5Authorize. RBACRole-Based Access Control. Granting permissions by role rather than configuring each person individually. for org/team roles in claims; a ReBAC layer for per-repo sharing. SCM access uses separately-scoped OAuth tokens to GitHub/GitLab, stored and refreshed independently.
- 6Rate limit. Throttle token and refresh endpoints per client and per IP; auth endpoints are a favorite target for credential stuffing.
The reliability storyauth is on every request
Because authentication sits on the hot path of a 1M-user product, its availability is the product's availability. Lead the reliability section with that and the trade-offs follow naturally.
- Local verify
- Stateless JWT check needs no external call - auth survives a store outage
- Caching
- JWKS and any authz decisions cached with sane TTLs to cut hot-path latency
- Regional availability
- Token issuance and JWKS served multi-region so a region loss doesn't lock users out
- Graceful degradation
- Decide per surface whether to fail open or closed if authz lookup is unavailable
The security surfacename the attacks, name the mitigation
- Attack
- Phishing
- How it works
- Fake login page harvests credentials
- Mitigation in this design
- Federate to the IdP; enforce MFA; short token lifetimes limit damage
- Attack
- Token theft
- How it works
- Token lifted from disk or memory
- Mitigation in this design
- OS secure storage, short access TTL, refresh rotation with reuse detection
- Attack
- Redirect / code interception
- How it works
- Attacker captures the auth code on callback
- Mitigation in this design
- PKCE binds code to requester; exact-match redirect URIs;
state
- Attack
- Credential stuffing
- How it works
- Botnet replays leaked passwords
- Mitigation in this design
- Rate limit + lockout on auth endpoints; MFA; IdP federation
| Attack | How it works | Mitigation in this design |
|---|---|---|
| Phishing | Fake login page harvests credentials | Federate to the IdP; enforce MFA; short token lifetimes limit damage |
| Token theft | Token lifted from disk or memory | OS secure storage, short access TTL, refresh rotation with reuse detection |
| Redirect / code interception | Attacker captures the auth code on callback | PKCE binds code to requester; exact-match redirect URIs; state |
| Credential stuffing | Botnet replays leaked passwords | Rate limit + lockout on auth endpoints; MFA; IdP federation |
Walk the table out loud - naming the threat then its mitigation is the senior move.
Close with the service contractthis is the EM differentiator
An IC stops at the design. An EM for Core Services closes with the contract: what guarantees this layer exposes to the product teams who build on it and how it changes them without breaking everyone.
- What we expose. A token-verification primitive (local, microsecond-fast), an authz-decision API and a documented claim shape. Product teams never reimplement auth.
- Our guarantees. A stated availability SLO for token issuance, a verification latency budget and a maximum revocation-propagation window so callers know how stale a permission can be.
- How we version. Additive claim changes are backward-compatible; breaking changes ship behind a new claim version with an overlap window and contract tests, the same overlap discipline as key rotation.
"I'll close on the contract, because that's the Core Services job. We expose local token verification, a central authz decision and a stable claim shape, with an SLO on issuance availability and a stated maximum revocation-propagation window. Breaking changes ride a versioned claim with an overlap period and contract tests - so product teams can build on us without auth becoming their problem."
Don't present this as a closed monologue. Cursor's loop rewards spirited, truth-seeking debate, so invite the panel to push: "Where would you push back on the fail-open call?" Defending a trade-off under challenge - and conceding when they're right - shows more than a flawless diagram does.
Takeaway. Present auth end to end - PKCE login → short JWT + refresh → RBACRole-Based Access Control. Granting permissions by role rather than configuring each person individually./ReBAC authz → rate limiting - then lead with the reliability story (auth is on every request) and close on the versioned service contract Core Services owes product teams.
Self-check
QYou've sketched the full auth flow for the editor. What should an Engineering Manager for Core Services add that a strong IC candidate would likely leave out?