Feature Request: Multi-Organization Session Support

[Makisuo]

Problem Statement

Currently, users can only be authenticated to a single organization at a time. The JWT contains a single organizationId, and switching between organizations requires a full re-authentication flow through WorkOS OAuth. This creates significant friction for users who work across multiple organizations.

Current behavior:

• JWT stores one organizationId
• URL structure uses /$orgSlug/ routes
• Organization context is enforced in the layout component
• When JWT org doesn't match the route's org, users are forced to re-login
• Switching orgs triggers a complete OAuth flow each time

Proposed Solution

Enable concurrent organization sessions, allowing users to maintain authenticated sessions across multiple organizations without re-authentication.

Key Changes

1. Session Architecture

   • Support multiple org sessions per user
   • Store org-specific tokens/credentials separately
   • Maintain seamless switching between orgs

2. Token Management

   • Consider multi-org JWT structure or separate tokens per org
   • Handle token refresh independently per organization
   • Maintain security isolation between org contexts

3. Route Handling

   • Route changes between orgs should use cached credentials
   • Only prompt for login when no valid session exists for target org

Use Cases

1. Consultants/Agencies - Managing multiple client organizations from a single browser session
2. Team Leads - Working across different department/project organizations
3. Cross-functional Collaboration - Users who belong to multiple teams that have separate workspaces
4. Account Switching - Quick context switching between personal and work organizations

Technical Considerations

• JWT Structure: May need to move from single-org JWT to either multi-org JWT or separate token storage per org
• WorkOS Integration: Investigate WorkOS session management capabilities for multi-org scenarios
• Security: Ensure proper isolation between organization contexts
• Storage: Consider where to persist multiple org sessions (localStorage, cookies, etc.)
• Token Refresh: Handle refresh flows independently for each org session
• Layout/Context: Update org context providers to support cached multi-org state

Acceptance Criteria

• Users can switch between organizations they belong to without re-authentication
• Each organization session maintains its own authentication state
• Security isolation is maintained between organization contexts
• Session expiry is handled independently per organization
• Existing single-org flows continue to work for users with one org