Authentication
All ProductOS surfaces share a single authentication layer, powered by Better Auth and backed by a shared Postgres database. You sign in once and your session works acrossbeta.productos.dev, develop.productos.dev, and design.productos.dev: session cookies are set at the .productos.dev domain level, so moving between surfaces never asks you to log in again.
Supported sign-in methods:
- Google OAuth
- GitHub OAuth
- Email and password, with password reset emails delivered via Resend using time-limited tokens
Where your data lives
Each surface has its own application database; only identity is shared. All web surfaces run on Vercel, with Content Security Policy headers configured per surface to restrict script and resource origins, and CORS configured for legitimate cross-surface calls.
Your generated code has a home you control: it syncs to your own GitHub repository as it is written, and you can export your project in full at any time. See Code ownership.
Sandbox isolation
AI-generated code never runs on your machine or on shared platform hosts. Each project runs in an isolated cloud sandbox (powered by Blaxel) that provides a live preview URL without exposing the host environment. The sandbox lifecycle is contained end to end:- A sandbox is created or resumed for your project
- Agents write files, install dependencies, and run builds inside it
- A preview URL is returned for the embedded preview
- Generated code is persisted to your project
- The sandbox is cleaned up after an inactivity timeout