Guides Overview

For customer-facing products that keep their OWN data backend untouched. They register Cargo as a Custom OIDC Provider with Auto-discovery OFF (manual endpoints; issuer copied from live discovery — the backend host) — NOT Third-Party Auth — disable local login, and use one signInWithOAuth('custom:cargo-ac') button. The backend mints its own native session, auto-provisions users (JIT), and verifies the app_access claim for entitlement.

Covers: CargoWorks AI (exim.cargoworks.ai), CargoWorks IO (track.cargoworks.io), Cargo Directory (global.cargo.directory). Cargo E-Mail follows the same pattern.

Same Model 2 flow for internal staff tools: register the Custom OIDC Provider with Auto-discovery OFF (manual endpoints; issuer copied from live discovery), one signInWithOAuth('custom:cargo-ac') button, native session minted locally, automatic JIT provisioning and global logout. Roles arrive from cargo.ac token claims, managed in admin.cargo.ac.

Hand to: internal tool teams (Network HUB, Exchange, ID, Expert, Support, Delivery, Cloud).

The branded, print-ready PDF plus a paste-ready Markdown brief you drop straight into a spoke's platform chat. It tells that project's AI exactly what to remove, add and verify — disable local auth, add the Custom OIDC Provider with Auto-discovery OFF (issuer copied from live discovery), wire the single button, and verify provisioning + the app_access entitlement check — guidance to distribute, not a page to follow on-screen.

Hand to: any spoke about to migrate — give them the kit to self-serve.

The account home — the ONLY place credentials live. It has real login, signup and reset screens, validates each incoming return URL, and bounces every user straight back to the spoke they came from, signed in. It SHARES this hub's backend, so no separate data project or OIDC provider.

Hand to: the one.cargo.ac team only.