diff --git a/.env b/.env
index 1ea6cd5b..12780c6a 100644
--- a/.env
+++ b/.env
@@ -19,12 +19,53 @@ NUXT_PUBLIC_USING_GITHUB_AUTH=false
 # Create with scopes copilot, manage_billing:copilot or manage_billing:enterprise, read:enterprise AND read:org
 NUXT_GITHUB_TOKEN=<TOKEN>
 
+# --- GitHub App (alternative to PAT — no user-specific token needed) ---
+# Set all three to use GitHub App installation tokens for data fetching.
+# Works with any OAuth provider (Google, Microsoft, Auth0, Keycloak) for user identity.
+# NUXT_GITHUB_APP_ID=123456
+# NUXT_GITHUB_APP_PRIVATE_KEY=-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----
+# (Installation ID is auto-discovered from NUXT_PUBLIC_GITHUB_ORG — no manual config needed)
+
 NUXT_SESSION_PASSWORD=something_long_and_random_thats_at_least_32_characters
 
-# for Github OAuth
+# --- Authentication (OAuth) ---
+# Set NUXT_PUBLIC_REQUIRE_AUTH=true to require users to sign in before accessing the app.
+# Configure one or more providers below, then list them in NUXT_PUBLIC_AUTH_PROVIDERS.
+NUXT_PUBLIC_REQUIRE_AUTH=false
+
+# Comma-separated list of active OAuth providers shown in the UI login screen.
+# Supported: github, google, microsoft, auth0, keycloak
+# Example: NUXT_PUBLIC_AUTH_PROVIDERS=github
+NUXT_PUBLIC_AUTH_PROVIDERS=
+
+# GitHub OAuth (NUXT_PUBLIC_AUTH_PROVIDERS=github)
 NUXT_OAUTH_GITHUB_CLIENT_ID=
 NUXT_OAUTH_GITHUB_CLIENT_SECRET=
 
+# Google OAuth (NUXT_PUBLIC_AUTH_PROVIDERS=google)
+# NUXT_OAUTH_GOOGLE_CLIENT_ID=
+# NUXT_OAUTH_GOOGLE_CLIENT_SECRET=
+
+# Microsoft / Entra ID (NUXT_PUBLIC_AUTH_PROVIDERS=microsoft)
+# NUXT_OAUTH_MICROSOFT_CLIENT_ID=
+# NUXT_OAUTH_MICROSOFT_CLIENT_SECRET=
+# NUXT_OAUTH_MICROSOFT_TENANT=  # restricts login to your Azure AD tenant (recommended)
+
+# Auth0 (NUXT_PUBLIC_AUTH_PROVIDERS=auth0)
+# NUXT_OAUTH_AUTH0_CLIENT_ID=
+# NUXT_OAUTH_AUTH0_CLIENT_SECRET=
+# NUXT_OAUTH_AUTH0_DOMAIN=your-tenant.auth0.com
+
+# Keycloak (NUXT_PUBLIC_AUTH_PROVIDERS=keycloak)
+# NUXT_OAUTH_KEYCLOAK_CLIENT_ID=
+# NUXT_OAUTH_KEYCLOAK_CLIENT_SECRET=
+# NUXT_OAUTH_KEYCLOAK_SERVER_URL=https://keycloak.company.com
+# NUXT_OAUTH_KEYCLOAK_REALM=your-realm
+
+# Optional: restrict access to specific users or email domains (any provider)
+# NUXT_AUTHORIZED_USERS=alice,bob@company.com
+# NUXT_AUTHORIZED_EMAIL_DOMAINS=company.com,corp.org
+
 # to use a corporate proxy
 # HTTP_PROXY=http://proxy.company.com:8080
 
diff --git a/.env.example b/.env.example
index 3a0b5149..7d310ee9 100644
--- a/.env.example
+++ b/.env.example
@@ -20,9 +20,6 @@ NUXT_PUBLIC_GITHUB_ENT=
 # Determines the team name if exists to target API calls.
 NUXT_PUBLIC_GITHUB_TEAM=
 
-# Enable GitHub OAuth authentication
-NUXT_PUBLIC_USING_GITHUB_AUTH=false
-
 # ------------------------------------------------------------------------------
 # Authentication
 # ------------------------------------------------------------------------------
@@ -35,10 +32,19 @@ NUXT_PUBLIC_USING_GITHUB_AUTH=false
 # Must be at least 32 characters long
 NUXT_SESSION_PASSWORD=something_long_and_random_thats_at_least_32_characters
 
-# GitHub OAuth App credentials (if using GitHub auth)
+# OAuth login — set AUTH_PROVIDERS to enable (implies authentication required)
+# Supported values: github, google, microsoft, auth0, keycloak (comma-separated)
+# NUXT_PUBLIC_AUTH_PROVIDERS=github
+
+# GitHub OAuth App credentials
 NUXT_OAUTH_GITHUB_CLIENT_ID=
 NUXT_OAUTH_GITHUB_CLIENT_SECRET=
 
+# GitHub App credentials (for installation token auth — decoupled from user login)
+# Find the App ID at github.com/settings/apps/<slug> or github.com/organizations/<org>/settings/apps/<slug>
+# NUXT_GITHUB_APP_ID=123456
+# NUXT_GITHUB_APP_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"
+
 # ------------------------------------------------------------------------------
 # API Migration Configuration (New Features)
 # ------------------------------------------------------------------------------
diff --git a/DEPLOYMENT.md b/DEPLOYMENT.md
index 25fd79be..b90598fe 100644
--- a/DEPLOYMENT.md
+++ b/DEPLOYMENT.md
@@ -44,19 +44,20 @@ Review available [Nuxt Deployment Options](https://nuxt.com/deploy).
 >[!WARNING]
 > Copilot Metrics Viewer requires a backend, hence it cannot be deployed as a purely static web app.
 
-## Authentication with GitHub
+## Authentication
 
-The Metrics Viewer can be integrated with GitHub application authentication, which authenticates the user and verifies their permissions to view the metrics. This option is recommended since it doesn't use Personal Access Tokens. The downside of using a GitHub application is that it can only authorize users to view metrics at the organization level (no support for Enterprise).
+The Metrics Viewer supports two modes:
 
-For Enterprise level authentication review [Github OAuth Apps](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/differences-between-github-apps-and-oauth-apps).
+- **PAT mode (default)**: A GitHub Personal Access Token is stored in the backend. Users access the app without signing in. The app renders metrics fetched using the PAT. No user authentication happens.
+- **OAuth mode**: Users must sign in through an identity provider before accessing the dashboard. The app supports GitHub, Google, Microsoft Entra ID, Auth0, and Keycloak — configured entirely by environment variables.
 
-With a Personal Access Token, user credentials are not verified, and the application simply renders Copilot metrics fetched using the PAT stored in the backend.
+See the [Authentication](#authentication-1) reference section for setup details.
 
-## Authentication for Copilot Metrics Viewer
+## Platform security for Azure
 
-By default Azure Deployments deploy a web app available on the public Internet without authentication (unless GitHub app is used).
+By default Azure Deployments deploy a web app available on the public Internet without authentication (unless OAuth is configured).
 
-Application can be easily secured in azure using built-in features like Authentication settings on ACA/AppService (EasyAuth on Azure). Azure Container Apps and App Services allow for adding IP restrictions on ingress. Both can also be deployed using private networking architectures. 
+Application can be easily secured in Azure using built-in features like Authentication settings on ACA/AppService (EasyAuth on Azure). Azure Container Apps and App Services allow for adding IP restrictions on ingress. Both can also be deployed using private networking architectures.
 
 Options below provide most basic and cost effective ways of hosting copilot-metrics-viewer.
 
@@ -339,7 +340,7 @@ curl -X POST http://localhost:3000/api/admin/sync \
 
 | Variable | Description | Required |
 |----------|-------------|----------|
-| `NUXT_GITHUB_TOKEN` | GitHub PAT with Copilot metrics permission | Yes (unless OAuth) |
+| `NUXT_GITHUB_TOKEN` | GitHub PAT with Copilot metrics permission | Yes (PAT mode) |
 | `NUXT_PUBLIC_SCOPE` | `organization` or `enterprise` (legacy `team-organization`/`team-enterprise` have been removed; existing values are auto-normalized) | Yes |
 | `NUXT_PUBLIC_GITHUB_ORG` | GitHub organization slug | For org scope |
 | `NUXT_PUBLIC_GITHUB_ENT` | GitHub enterprise slug | For enterprise scope |
@@ -348,37 +349,245 @@ curl -X POST http://localhost:3000/api/admin/sync \
 | `ENABLE_HISTORICAL_MODE` | `true` to read metrics from database | Historical mode only |
 | `SYNC_ENABLED` | `true` for sync service, `false` for web app | Historical mode only |
 | `SYNC_DAYS_BACK` | Days to sync (default: 1 for daily, 28 for bulk) | Sync only |
-| `NUXT_PUBLIC_USING_GITHUB_AUTH` | `true` to enable GitHub OAuth | Optional |
-| `NUXT_OAUTH_GITHUB_CLIENT_ID` | GitHub App client ID | For OAuth |
-| `NUXT_OAUTH_GITHUB_CLIENT_SECRET` | GitHub App client secret | For OAuth |
+| `NUXT_PUBLIC_AUTH_PROVIDERS` | Comma-separated active providers: `github`, `google`, `microsoft`, `auth0`, `keycloak` — setting this enables authentication | OAuth mode |
+| `NUXT_OAUTH_GITHUB_CLIENT_ID` | GitHub App client ID | GitHub OAuth |
+| `NUXT_OAUTH_GITHUB_CLIENT_SECRET` | GitHub App client secret | GitHub OAuth |
+| `NUXT_OAUTH_GOOGLE_CLIENT_ID` | Google OAuth client ID | Google OAuth |
+| `NUXT_OAUTH_GOOGLE_CLIENT_SECRET` | Google OAuth client secret | Google OAuth |
+| `NUXT_OAUTH_MICROSOFT_CLIENT_ID` | Microsoft app client ID | Microsoft OAuth |
+| `NUXT_OAUTH_MICROSOFT_CLIENT_SECRET` | Microsoft app client secret | Microsoft OAuth |
+| `NUXT_OAUTH_MICROSOFT_TENANT` | Azure AD tenant ID (restricts to your org) | Microsoft OAuth |
+| `NUXT_OAUTH_AUTH0_CLIENT_ID` | Auth0 app client ID | Auth0 OAuth |
+| `NUXT_OAUTH_AUTH0_CLIENT_SECRET` | Auth0 app client secret | Auth0 OAuth |
+| `NUXT_OAUTH_AUTH0_DOMAIN` | Auth0 tenant domain, e.g. `company.auth0.com` | Auth0 OAuth |
+| `NUXT_OAUTH_KEYCLOAK_CLIENT_ID` | Keycloak client ID | Keycloak OAuth |
+| `NUXT_OAUTH_KEYCLOAK_CLIENT_SECRET` | Keycloak client secret | Keycloak OAuth |
+| `NUXT_OAUTH_KEYCLOAK_SERVER_URL` | Keycloak server URL | Keycloak OAuth |
+| `NUXT_OAUTH_KEYCLOAK_REALM` | Keycloak realm name | Keycloak OAuth |
+| `NUXT_AUTHORIZED_USERS` | Comma-separated logins/emails allowed to log in (any provider) | Optional |
+| `NUXT_AUTHORIZED_EMAIL_DOMAINS` | Comma-separated email domains allowed, e.g. `company.com` | Optional |
+
+## Authentication
+
+The app supports the following authentication modes, selected entirely by environment variables. No code changes are needed to switch providers.
+
+### PAT Mode (default — no user login)
+
+Set a GitHub Personal Access Token. All visitors see the dashboard without signing in.
 
-## Github App Registration
+```bash
+NUXT_GITHUB_TOKEN=ghp_...
+```
+
+The PAT must have the following scopes:
+- `read:org` — read organization membership
+- `copilot` — read Copilot usage
+- `manage_billing:copilot` — read seat management (optional)
+
+In PAT mode the toolbar shows a shield icon (🛡) that explains available OAuth options when clicked.
+
+---
+
+### GitHub App Installation Token (no PAT required)
+
+A GitHub App installation token lets the backend fetch Copilot data **without any user-owned PAT**. This is the recommended credential for deployments where users authenticate via Google, Microsoft, Auth0, or Keycloak (i.e. non-GitHub identity providers).
+
+**Why use this instead of a PAT?**
+
+| | PAT | GitHub App installation token |
+|---|---|---|
+| Tied to a specific user account | ✅ yes | ❌ no — machine credential |
+| Revoked when user leaves org | ✅ yes | ❌ no |
+| Scoped to exactly the permissions you grant | limited | ✅ yes |
+| Works with Google/Microsoft/Auth0/Keycloak auth | ✅ yes (workaround) | ✅ yes (native) |
+
+**Create a GitHub App:**
 
-While it is possible to run the API Proxy without GitHub app registration and with a hardcoded token, it is not the recommended way.
+1. Go to your org → Settings → Developer Settings → GitHub Apps → **New GitHub App**
+2. Give it a name (e.g. `copilot-metrics-viewer`)
+3. Disable Webhook (uncheck "Active")
+4. Under **Repository permissions**: none required
+5. Under **Organization permissions**:
+   - `Copilot` → Read-only
+   - `Members` → Read-only (for seat analysis)
+6. Set "Where can this GitHub App be installed?" → **Only on this account**
+7. Click **Create GitHub App**, then note the **App ID** on the next page
 
-To register a new GitHub App, follow these steps:
+**Generate a private key:**
+
+1. On the App settings page, scroll to **Private keys** → **Generate a private key**
+2. A `.pem` file downloads automatically
+3. Flatten the key to a single-line env var:
+   ```bash
+   # macOS/Linux — prints the key with literal \n between lines
+   awk 'NF {printf "%s\\n", $0}' ~/Downloads/my-app.private-key.pem
+   ```
+4. Copy the output (starts with `-----BEGIN RSA PRIVATE KEY-----\n...`)
+
+**Install the App on your org:**
+
+1. On the App page, click **Install App** → choose your org → **Install**
+2. The installation ID is **auto-discovered** at runtime — no manual configuration needed.
+   If you have multiple installs, the app matches against `NUXT_PUBLIC_GITHUB_ORG`, or shows an org picker.
+
+**Configure env vars:**
+
+```bash
+NUXT_GITHUB_APP_ID=123456
+NUXT_GITHUB_APP_PRIVATE_KEY=-----BEGIN RSA PRIVATE KEY-----\nMIIEo...\n-----END RSA PRIVATE KEY-----
+```
+
+> [!NOTE]
+> When `NUXT_GITHUB_APP_ID` + `NUXT_GITHUB_APP_PRIVATE_KEY` are set, the app auto-discovers the installation for the configured org and uses an installation token for every data request. The `NUXT_GITHUB_TOKEN` PAT is ignored.
+>
+> If the App is installed on multiple orgs and no `NUXT_PUBLIC_GITHUB_ORG` is set, users are shown an org picker after login.
 
 > [!TIP]
-> Navigate using link: replace `<your_org>` with your organization name and open this link:
-[https://github.com/organizations/<your_org>/settings/apps](https://github.com/organizations/<your_org>/settings/apps)
-
-or navigate using UI:
-1. Go to your organization's settings.
-2. Navigate to "Developer settings".
-3. Select "GitHub Apps".
-4. Click "New GitHub App".
-
-1. Set a unique name.
-2. Provide a home page URL: your company URL or just `http://localhost`.
-3. Add a callback URL for `http://localhost:3000/auth/github`. (We'll add the real redirect URL after the application is deployed.)
-4. Uncheck the "Webhook -> Active" checkbox.
-5. Set the permissions:
-   - Select **Organization permissions**.
-   - Under **Members**, select **Access: Read-only**.
-   - Under **Copilot Metrics**, select **Access: Read-only**.
-   - Under **Copilot Seat Management**, select **Access: Read-only**.
-6. Click on 'Create GitHub App' and, in the following page, click on 'Generate a new client secret'.
-7. Note the `Client ID` and `Client Secret` (copy it to a secure location). This is required for the application to authenticate with GitHub.
-8. Install the app in the organization:
-   - Go to "Install App".
-   - Select your organization.
+> Installation tokens are cached in memory for up to 55 minutes and automatically refreshed. You don't need to restart the server.
+
+---
+
+### GitHub OAuth
+
+Requires a [GitHub App](https://docs.github.com/en/apps/creating-github-apps/about-creating-github-apps/about-creating-github-apps) or [OAuth App](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/creating-an-oauth-app).
+
+**Create a GitHub App:**
+
+1. Go to your org → Settings → Developer Settings → GitHub Apps → New GitHub App
+2. Set **Callback URL**: `https://<your-app>/auth/github`
+3. Uncheck **Active** under Webhooks
+4. Set permissions: Organization → Members (Read), Copilot Metrics (Read), Copilot Seat Management (Read)
+5. Generate a Client Secret
+
+**Environment variables:**
+
+```bash
+NUXT_PUBLIC_AUTH_PROVIDERS=github
+NUXT_OAUTH_GITHUB_CLIENT_ID=Iv1.xxxxxxxxxxxx
+NUXT_OAUTH_GITHUB_CLIENT_SECRET=xxxxxxxxxxxx
+```
+
+---
+
+### Google OAuth
+
+1. Open [Google Cloud Console → APIs & Services → Credentials](https://console.cloud.google.com/apis/credentials)
+2. Create an **OAuth 2.0 Client ID** (Web application)
+3. Add **Authorized redirect URI**: `https://<your-app>/auth/google`
+
+**Environment variables:**
+
+```bash
+NUXT_PUBLIC_AUTH_PROVIDERS=google
+NUXT_OAUTH_GOOGLE_CLIENT_ID=xxxx.apps.googleusercontent.com
+NUXT_OAUTH_GOOGLE_CLIENT_SECRET=xxxxxxxxxxxx
+
+# Optional: restrict to a specific email domain
+NUXT_AUTHORIZED_EMAIL_DOMAINS=company.com
+```
+
+---
+
+### Microsoft / Entra ID (Azure AD)
+
+1. Open [Azure Portal → App Registrations → New Registration](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps)
+2. Set **Redirect URI**: `https://<your-app>/auth/microsoft`
+3. Under **Certificates & Secrets**, create a new client secret
+4. Note the **Application (client) ID**, **Directory (tenant) ID**, and secret value
+
+**Environment variables:**
+
+```bash
+NUXT_PUBLIC_AUTH_PROVIDERS=microsoft
+NUXT_OAUTH_MICROSOFT_CLIENT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+NUXT_OAUTH_MICROSOFT_CLIENT_SECRET=xxxxxxxxxxxx
+# Restricts sign-in to your Azure AD tenant (strongly recommended):
+NUXT_OAUTH_MICROSOFT_TENANT=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+```
+
+> [!TIP]
+> Setting `NUXT_OAUTH_MICROSOFT_TENANT` to your tenant ID automatically restricts access to users in your organization's Azure Active Directory — no need for `NUXT_AUTHORIZED_EMAIL_DOMAINS` in most cases.
+
+---
+
+### Auth0
+
+Auth0 acts as an identity aggregator. Configure it once and it can front GitHub, Google, Microsoft, LDAP, SAML, and many more identity sources. Useful for organizations that already use Auth0 or need fine-grained access control (MFA, connection restrictions, roles).
+
+1. Log in to the [Auth0 Dashboard](https://manage.auth0.com/)
+2. Create a new **Regular Web Application**
+3. Under **Settings → Allowed Callback URLs**, add: `https://<your-app>/auth/auth0`
+4. Note the **Domain**, **Client ID**, and **Client Secret**
+5. Configure allowed connections (GitHub, Google, etc.) under **Authentication → Social**
+
+**Environment variables:**
+
+```bash
+NUXT_PUBLIC_AUTH_PROVIDERS=auth0
+NUXT_OAUTH_AUTH0_CLIENT_ID=xxxxxxxxxxxx
+NUXT_OAUTH_AUTH0_CLIENT_SECRET=xxxxxxxxxxxx
+NUXT_OAUTH_AUTH0_DOMAIN=your-tenant.auth0.com
+
+# Optional: restrict by email domain (Auth0 often handles this natively via connection/org settings)
+NUXT_AUTHORIZED_EMAIL_DOMAINS=company.com
+```
+
+> [!TIP]
+> Auth0 organizations and connection-level policies can enforce access without requiring `NUXT_AUTHORIZED_*` env vars. Prefer Auth0's native controls for the cleanest setup.
+
+---
+
+### Keycloak
+
+Keycloak is a self-hosted, open-source identity and access management server. Ideal for air-gapped, regulated, or on-premises environments.
+
+1. Create a new **Realm** (or use an existing one)
+2. Create a **Client**: set **Client Protocol** to `openid-connect`, **Access Type** to `confidential`
+3. Set **Valid Redirect URIs**: `https://<your-app>/auth/keycloak`
+4. Under **Credentials**, note the **Secret**
+5. Optionally configure realm roles or groups to restrict access
+
+**Environment variables:**
+
+```bash
+NUXT_PUBLIC_AUTH_PROVIDERS=keycloak
+NUXT_OAUTH_KEYCLOAK_CLIENT_ID=copilot-metrics-viewer
+NUXT_OAUTH_KEYCLOAK_CLIENT_SECRET=xxxxxxxxxxxx
+NUXT_OAUTH_KEYCLOAK_SERVER_URL=https://keycloak.company.com
+NUXT_OAUTH_KEYCLOAK_REALM=your-realm
+
+# Optional: restrict to specific users or email domain
+NUXT_AUTHORIZED_USERS=alice,bob
+NUXT_AUTHORIZED_EMAIL_DOMAINS=company.com
+```
+
+---
+
+### Multiple Providers
+
+You can enable multiple OAuth providers simultaneously. Users will see a sign-in button for each:
+
+```bash
+NUXT_PUBLIC_AUTH_PROVIDERS=github,google
+NUXT_OAUTH_GITHUB_CLIENT_ID=...
+NUXT_OAUTH_GITHUB_CLIENT_SECRET=...
+NUXT_OAUTH_GOOGLE_CLIENT_ID=...
+NUXT_OAUTH_GOOGLE_CLIENT_SECRET=...
+```
+
+---
+
+### Authorization (user allowlists)
+
+After a user authenticates with any provider, you can optionally restrict which accounts are allowed:
+
+| Variable | Effect |
+|---|---|
+| `NUXT_AUTHORIZED_USERS` | Comma-separated logins or emails: `alice,bob@company.com` |
+| `NUXT_AUTHORIZED_EMAIL_DOMAINS` | Comma-separated domains: `company.com,corp.org` |
+
+When **both are empty** (default), all authenticated users are allowed. When either is set, a user must match at least one rule to gain access.
+
+> [!NOTE]
+> Provider-level restrictions (Microsoft tenant, Auth0 connections, Keycloak realm) are preferred over application-level allowlists — they deny access before reaching the app entirely.
+
diff --git a/README.md b/README.md
index 50f553f8..6aa8eb45 100644
--- a/README.md
+++ b/README.md
@@ -258,6 +258,19 @@ Token is not used in the frontend.
 NUXT_GITHUB_TOKEN=
 ````
 
+#### NUXT_GITHUB_APP_ID / NUXT_GITHUB_APP_PRIVATE_KEY
+
+**Alternative to PAT** — use a GitHub App installation token for backend data access. When both are set, they take priority over `NUXT_GITHUB_TOKEN`. This is the recommended credential when users authenticate via Google, Microsoft, Auth0, or Keycloak (i.e., non-GitHub identity providers), since the token is machine-issued and not tied to any individual user account.
+
+The installation ID is **auto-discovered** from `NUXT_PUBLIC_GITHUB_ORG` — no manual configuration needed. If the App is installed on multiple orgs and no org is configured, users see an org picker after login.
+
+See [GitHub App Installation Token](DEPLOYMENT.md#github-app-installation-token-no-pat-required) in the deployment guide for full setup instructions.
+
+```bash
+NUXT_GITHUB_APP_ID=123456
+NUXT_GITHUB_APP_PRIVATE_KEY=-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----
+```
+
 #### NUXT_SESSION_PASSWORD (Required!)
 
 This variable is required to encrypt user sessions, it needs to be at least 32 characters long.
@@ -266,17 +279,50 @@ For more information see [Nuxt Sessions and Authentication](https://nuxt.com/doc
 >[!WARNING]
 > This variable is required starting from version 2.0.0.
 
-#### NUXT_PUBLIC_USING_GITHUB_AUTH
+#### NUXT_PUBLIC_AUTH_PROVIDERS
 
-Default is `false`. When set to `true`, GitHub OAuth App Authentication will be performed to verify users' access to the dashboard. For this, a GitHub App must be registered and installed in the enterprise/org. See [GitHub App Registration](DEPLOYMENT.md#github-app-registration) for the steps to follow.
+Comma-separated list of active OAuth providers: `github`, `google`, `microsoft`, `auth0`, `keycloak`. Setting this variable enables authentication — users must sign in before accessing the dashboard.
 
-Variables required for GitHub Auth are:
-1. `NUXT_OAUTH_GITHUB_CLIENT_ID` - client ID of the GitHub App.
-2. `NUXT_OAUTH_GITHUB_CLIENT_SECRET` - client secret of the GitHub App.
-3. [Optional] `NUXT_OAUTH_GITHUB_CLIENT_SCOPE` for scope requests when using OAuth App instead of GitHub App. See [GitHub docs](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/differences-between-github-apps-and-oauth-apps) for details.
+```
+NUXT_PUBLIC_AUTH_PROVIDERS=github,google
+```
 
->[!WARNING]
-> Only users with permissions (scopes listed in [NUXT_GITHUB_TOKEN](#NUXT_GITHUB_TOKEN)) can view copilot metrics, GitHub uses the authenticated users permissions to make API calls for data.
+The corresponding `NUXT_OAUTH_<PROVIDER>_CLIENT_ID` and `NUXT_OAUTH_<PROVIDER>_CLIENT_SECRET` must also be set. See [Authentication](DEPLOYMENT.md#authentication-1) in DEPLOYMENT.md for full setup instructions per provider.
+
+#### NUXT_AUTHORIZED_USERS
+
+Comma-separated list of logins or email addresses that are allowed to sign in (any provider). When empty (default), all authenticated users are allowed.
+
+```
+NUXT_AUTHORIZED_USERS=alice,bob@company.com
+```
+
+#### NUXT_AUTHORIZED_EMAIL_DOMAINS
+
+Comma-separated list of email domains allowed to sign in. When empty (default), no domain restriction is applied.
+
+```
+NUXT_AUTHORIZED_EMAIL_DOMAINS=company.com
+```
+
+#### OAuth provider variables
+
+| Variable | Provider | Description |
+|---|---|---|
+| `NUXT_OAUTH_GITHUB_CLIENT_ID` | GitHub | App client ID |
+| `NUXT_OAUTH_GITHUB_CLIENT_SECRET` | GitHub | App client secret |
+| `NUXT_OAUTH_GOOGLE_CLIENT_ID` | Google | OAuth client ID |
+| `NUXT_OAUTH_GOOGLE_CLIENT_SECRET` | Google | OAuth client secret |
+| `NUXT_OAUTH_MICROSOFT_CLIENT_ID` | Microsoft | App client ID |
+| `NUXT_OAUTH_MICROSOFT_CLIENT_SECRET` | Microsoft | App client secret |
+| `NUXT_OAUTH_MICROSOFT_TENANT` | Microsoft | Azure AD tenant ID (restricts to org) |
+| `NUXT_OAUTH_AUTH0_CLIENT_ID` | Auth0 | App client ID |
+| `NUXT_OAUTH_AUTH0_CLIENT_SECRET` | Auth0 | App client secret |
+| `NUXT_OAUTH_AUTH0_DOMAIN` | Auth0 | Tenant domain, e.g. `company.auth0.com` |
+| `NUXT_OAUTH_KEYCLOAK_CLIENT_ID` | Keycloak | Client ID |
+| `NUXT_OAUTH_KEYCLOAK_CLIENT_SECRET` | Keycloak | Client secret |
+| `NUXT_OAUTH_KEYCLOAK_SERVER_URL` | Keycloak | Server URL |
+| `NUXT_OAUTH_KEYCLOAK_REALM` | Keycloak | Realm name |
 
 #### NUXT_PUBLIC_HIDDEN_TABS
 
diff --git a/app/components/MainComponent.vue b/app/components/MainComponent.vue
index dd111179..59a8e05b 100644
--- a/app/components/MainComponent.vue
+++ b/app/components/MainComponent.vue
@@ -17,19 +17,61 @@
         <v-icon>{{ isDark ? 'mdi-weather-sunny' : 'mdi-weather-night' }}</v-icon>
       </v-btn>
 
-      <!-- Conditionally render the logout button -->
+      <!-- Logged-in user avatar + logout (OAuth mode) -->
       <AuthState>
         <template #default="{ loggedIn, user }">
           <div v-show="loggedIn" class="user-info">
             Welcome,
             <v-avatar class="user-avatar">
-              <v-img :alt="user?.name" :src="user?.avatarUrl" />
+              <v-img v-if="user?.avatarUrl" :alt="user?.name" :src="user?.avatarUrl" />
+              <v-icon v-else>mdi-account-circle</v-icon>
             </v-avatar> {{ user?.name }}
           </div>
           <v-btn v-if="showLogoutButton && loggedIn" class="logout-button" @click="logout">Logout</v-btn>
         </template>
       </AuthState>
 
+      <!-- PAT-mode info button: visible when auth is not required -->
+      <v-btn v-if="!isAuthRequired" icon title="Authentication info" @click="showAuthInfoDialog = true">
+        <v-icon>mdi-shield-account</v-icon>
+      </v-btn>
+
+      <!-- Auth info dialog -->
+      <v-dialog v-model="showAuthInfoDialog" max-width="520">
+        <v-card>
+          <v-card-title class="d-flex align-center ga-2">
+            <v-icon color="primary">mdi-shield-account</v-icon>
+            Authentication Options
+          </v-card-title>
+          <v-card-text>
+            <p class="mb-3">
+              This app is currently running in <strong>PAT / anonymous mode</strong> — user authentication is
+              not required. You can enable OAuth login by configuring one of the supported providers:
+            </p>
+            <v-list density="compact">
+              <v-list-item prepend-icon="mdi-github" title="GitHub OAuth" subtitle="NUXT_OAUTH_GITHUB_CLIENT_ID / SECRET" />
+              <v-list-item prepend-icon="mdi-google" title="Google OAuth" subtitle="NUXT_OAUTH_GOOGLE_CLIENT_ID / SECRET" />
+              <v-list-item prepend-icon="mdi-microsoft" title="Microsoft / Entra ID" subtitle="NUXT_OAUTH_MICROSOFT_CLIENT_ID / SECRET / TENANT" />
+              <v-list-item prepend-icon="mdi-lock-check" title="Auth0" subtitle="NUXT_OAUTH_AUTH0_CLIENT_ID / SECRET / DOMAIN" />
+              <v-list-item prepend-icon="mdi-key-chain" title="Keycloak" subtitle="NUXT_OAUTH_KEYCLOAK_CLIENT_ID / SECRET / SERVER_URL / REALM" />
+            </v-list>
+          </v-card-text>
+          <v-card-actions>
+            <v-spacer />
+            <v-btn
+              color="primary"
+              variant="text"
+              href="https://github.com/github-copilot-resources/copilot-metrics-viewer/blob/main/DEPLOYMENT.md#authentication"
+              target="_blank"
+              prepend-icon="mdi-open-in-new"
+            >
+              Docs
+            </v-btn>
+            <v-btn variant="text" @click="showAuthInfoDialog = false">Close</v-btn>
+          </v-card-actions>
+        </v-card>
+      </v-dialog>
+
       <template #extension>
 
         <v-tabs v-model="tab" align-tabs="title">
@@ -81,9 +123,18 @@
     <AuthState>
       <template #default="{ loggedIn }">
         <div v-show="signInRequired" class="github-login-container">
-          <NuxtLink v-if="!loggedIn && signInRequired" to="/auth/github" external class="github-login-button"> <v-icon
-              left>mdi-github</v-icon>
-            Sign in with GitHub</NuxtLink>
+          <template v-if="!loggedIn && signInRequired">
+            <NuxtLink
+              v-for="provider in activeProviders"
+              :key="provider.id"
+              :to="`/auth/${provider.id}`"
+              external
+              class="github-login-button"
+            >
+              <v-icon left>{{ provider.icon }}</v-icon>
+              Sign in with {{ provider.label }}
+            </NuxtLink>
+          </template>
         </div>
       </template>
       <template #placeholder>
@@ -429,7 +480,31 @@ export default defineNuxtComponent({
 
     const { loggedIn, user } = useUserSession()
     const config = useRuntimeConfig();
-    const showLogoutButton = computed(() => config.public.usingGithubAuth && loggedIn.value);
+
+    // requireAuth: new NUXT_PUBLIC_REQUIRE_AUTH flag; falls back to usingGithubAuth for backwards compat
+    const isAuthRequired = computed(() => config.public.requireAuth || config.public.usingGithubAuth || config.public.isPublicApp || !!config.public.authProviders);
+    const showLogoutButton = computed(() => isAuthRequired.value && loggedIn.value);
+    const showAuthInfoDialog = ref(false);
+
+    const PROVIDER_META: Record<string, { label: string; icon: string }> = {
+      github: { label: 'GitHub', icon: 'mdi-github' },
+      google: { label: 'Google', icon: 'mdi-google' },
+      microsoft: { label: 'Microsoft', icon: 'mdi-microsoft' },
+      auth0: { label: 'Auth0', icon: 'mdi-lock-check' },
+      keycloak: { label: 'Keycloak', icon: 'mdi-key-chain' },
+    };
+
+    // Active providers derived from NUXT_PUBLIC_AUTH_PROVIDERS; falls back to "github" when usingGithubAuth
+    const activeProviders = computed(() => {
+      const raw = config.public.authProviders
+        || ((config.public.usingGithubAuth || config.public.isPublicApp) ? 'github' : '');
+      return raw
+        .split(',')
+        .map(s => s.trim().toLowerCase())
+        .filter(Boolean)
+        .map(id => ({ id, ...(PROVIDER_META[id] ?? { label: id, icon: 'mdi-login' }) }));
+    });
+
     const mockedDataMessage = computed(() => config.public.isDataMocked ? 'Using mock data - see README if unintended' : '');
     const itemName = computed(() => config.public.scope);
     const githubInfo = getDisplayName(config.public)
@@ -440,7 +515,7 @@ export default defineNuxtComponent({
     const seatsCurrentPage = ref(1);
 
     const signInRequired = computed(() => {
-      return config.public.usingGithubAuth && !loggedIn.value;
+      return isAuthRequired.value && !loggedIn.value;
     });
 
     const seatsFetch = useFetch('/api/seats', {
@@ -479,6 +554,9 @@ export default defineNuxtComponent({
       isDark,
       toggleTheme,
       showLogoutButton,
+      isAuthRequired,
+      showAuthInfoDialog,
+      activeProviders,
       mockedDataMessage,
       itemName,
       displayName,
diff --git a/app/pages/index.vue b/app/pages/index.vue
index 95029fae..d13d88af 100644
--- a/app/pages/index.vue
+++ b/app/pages/index.vue
@@ -25,6 +25,17 @@ if (route.params.ent || route.params.org) {
   } 
 }
 
+// No org in URL or config — redirect to org picker, but only if the user is already
+// authenticated (or auth is not required). When auth IS required and the user is not
+// yet logged in, let MainComponent display the login overlay first; after OAuth the
+// callback handler will redirect to /select-org or directly to the org.
+const { loggedIn } = useUserSession()
+const authRequired = config.public.usingGithubAuth || config.public.requireAuth || config.public.isPublicApp || !!config.public.authProviders
+const hasOrg = route.params.org || route.params.ent || config.public.githubOrg || config.public.githubEnt
+if (!hasOrg && !config.public.isDataMocked && (!authRequired || loggedIn.value)) {
+  await navigateTo('/select-org')
+}
+
 computed(() => config.public.version);
 </script>
 
diff --git a/app/pages/select-org.vue b/app/pages/select-org.vue
new file mode 100644
index 00000000..ac1fdf7c
--- /dev/null
+++ b/app/pages/select-org.vue
@@ -0,0 +1,125 @@
+<script lang="ts" setup>
+import './assets/global.css'
+
+const router = useRouter()
+const { clear: clearSession } = useUserSession()
+
+interface Installation {
+  login: string
+  type: string
+}
+
+const installations = ref<Installation[]>([])
+const selected = ref<string | null>(null)
+const manualOrg = ref('')
+const loading = ref(true)
+const error = ref<string | null>(null)
+
+// When installations is empty (public app + non-GitHub login), show a text input instead.
+const showManualInput = computed(() => !loading.value && !error.value && installations.value.length === 0)
+
+onMounted(async () => {
+  try {
+    const data = await $fetch<{ installations: Installation[] }>('/api/installations')
+    installations.value = data.installations
+
+    if (installations.value.length === 1) {
+      // Single org — navigate immediately without showing picker
+      await router.replace(`/orgs/${installations.value[0].login}`)
+    } else if (installations.value.length > 1) {
+      selected.value = installations.value[0].login
+    }
+    // length === 0 → showManualInput will be true
+  } catch (e: unknown) {
+    // 401 means the session expired or the user navigated here directly without logging in.
+    // Redirect to the root so MainComponent can show the login overlay.
+    if ((e as { statusCode?: number })?.statusCode === 401) {
+      await router.replace('/')
+      return
+    }
+    error.value = e instanceof Error ? e.message : 'Failed to load organizations'
+  } finally {
+    loading.value = false
+  }
+})
+
+function navigate() {
+  if (selected.value) {
+    router.push(`/orgs/${selected.value}`)
+  } else if (manualOrg.value.trim()) {
+    router.push(`/orgs/${manualOrg.value.trim()}`)
+  }
+}
+</script>
+
+<template>
+  <v-app>
+    <v-main>
+      <v-container class="d-flex align-center justify-center" style="min-height: 100vh">
+        <v-card width="480" class="pa-4">
+          <v-card-title class="text-h5 pb-2">
+            <v-icon class="mr-2" color="primary">mdi-office-building</v-icon>
+            Select Organization
+          </v-card-title>
+
+          <v-card-text>
+            <template v-if="loading">
+              <v-progress-linear indeterminate color="primary" class="mb-4" />
+              <p class="text-body-2 text-medium-emphasis">Loading accessible organizations…</p>
+            </template>
+
+            <template v-else-if="error">
+              <v-alert type="error" variant="tonal" class="mb-4">{{ error }}</v-alert>
+              <p class="text-body-2 text-medium-emphasis">
+                Make sure the GitHub App is installed on your organization.
+              </p>
+            </template>
+
+            <template v-else-if="showManualInput">
+              <p class="text-body-2 text-medium-emphasis mb-4">
+                Enter the GitHub organization or enterprise slug to view its Copilot metrics.
+              </p>
+              <v-text-field
+                v-model="manualOrg"
+                label="Organization"
+                placeholder="my-org"
+                variant="outlined"
+                density="comfortable"
+                prepend-inner-icon="mdi-domain"
+                @keyup.enter="navigate"
+              />
+            </template>
+
+            <template v-else-if="installations.length > 1">
+              <p class="text-body-2 text-medium-emphasis mb-4">
+                Select which organization to view.
+              </p>
+              <v-select
+                v-model="selected"
+                :items="installations"
+                item-title="login"
+                item-value="login"
+                label="Organization"
+                variant="outlined"
+                density="comfortable"
+                prepend-inner-icon="mdi-domain"
+              />
+            </template>
+          </v-card-text>
+
+          <v-card-actions v-if="!loading && !error && (installations.length > 1 || showManualInput)" class="px-4 pb-4">
+            <v-spacer />
+            <v-btn
+              color="primary"
+              variant="flat"
+              :disabled="!selected && !manualOrg.trim()"
+              @click="navigate"
+            >
+              Continue
+            </v-btn>
+          </v-card-actions>
+        </v-card>
+      </v-container>
+    </v-main>
+  </v-app>
+</template>
diff --git a/app/router.options.ts b/app/router.options.ts
index 0dcba7e1..4f9f8e3c 100644
--- a/app/router.options.ts
+++ b/app/router.options.ts
@@ -27,6 +27,11 @@ export default {
             name: 'ent-team',
             path: '/enterprises/:ent/teams/:team',
             component: () => import('~/pages/index.vue')
+        },
+        {
+            name: 'select-org',
+            path: '/select-org',
+            component: () => import('~/pages/select-org.vue')
         }
     ],
 } satisfies RouterConfig
\ No newline at end of file
diff --git a/nuxt.config.ts b/nuxt.config.ts
index d7698528..0c9b4075 100644
--- a/nuxt.config.ts
+++ b/nuxt.config.ts
@@ -83,6 +83,9 @@ export default defineNuxtConfig({
     aiToken: '',  // Dedicated token for GitHub Models API (NUXT_AI_TOKEN). Falls back to githubToken.
     aiModel: 'gpt-4o',  // Model for AI chat (NUXT_AI_MODEL)
     aiMaxToolRounds: '5',  // Max tool-calling iterations (NUXT_AI_MAX_TOOL_ROUNDS)
+    // GitHub App credentials (alternative to PAT — works with any OAuth provider)
+    githubAppId: '',            // NUXT_GITHUB_APP_ID — numeric App ID (preferred); GitHub also accepts the Client ID (NUXT_OAUTH_GITHUB_CLIENT_ID)
+    githubAppPrivateKey: '',    // NUXT_GITHUB_APP_PRIVATE_KEY (PEM, \n-escaped)
     session: {
       // set to 6h - same as the GitHub token
       maxAge: 60 * 60 * 6,
@@ -92,14 +95,43 @@ export default defineNuxtConfig({
       github: {
         clientId: '',
         clientSecret: ''
+      },
+      google: {
+        clientId: '',
+        clientSecret: ''
+      },
+      microsoft: {
+        clientId: '',
+        clientSecret: '',
+        tenant: ''
+      },
+      auth0: {
+        clientId: '',
+        clientSecret: '',
+        domain: ''
+      },
+      keycloak: {
+        clientId: '',
+        clientSecret: '',
+        serverUrl: '',
+        realm: ''
       }
     },
+    // Server-only authorization config (NUXT_AUTHORIZED_USERS, NUXT_AUTHORIZED_EMAIL_DOMAINS)
+    authorizedUsers: '',
+    authorizedEmailDomains: '',
     public: {
       isDataMocked: false,  // can be overridden by NUXT_PUBLIC_IS_DATA_MOCKED environment variable
       scope: 'organization',  // can be overridden by NUXT_PUBLIC_SCOPE environment variable
       githubOrg: '',
       githubEnt: '',
+      // Deprecated: use requireAuth + authProviders instead. Kept for backwards compatibility.
       usingGithubAuth: false,
+      // Set to true when any OAuth provider is configured (NUXT_PUBLIC_REQUIRE_AUTH)
+      requireAuth: false,
+      // Comma-separated list of active OAuth providers shown in the UI, e.g. "github,google,microsoft"
+      // (NUXT_PUBLIC_AUTH_PROVIDERS)
+      authProviders: '',
       version,
       isPublicApp: false,
       // Deployment metadata (set via NUXT_PUBLIC_DEPLOY_INFO for preview environments)
diff --git a/server/api/installations.get.ts b/server/api/installations.get.ts
new file mode 100644
index 00000000..59e2449f
--- /dev/null
+++ b/server/api/installations.get.ts
@@ -0,0 +1,57 @@
+import { listAppInstallations, type AppInstallation } from '../modules/github-app-auth'
+
+/**
+ * Returns the list of orgs/accounts the app can access.
+ *
+ * Public/marketplace app (NUXT_PUBLIC_IS_PUBLIC_APP=true):
+ *   - MUST NOT have a private key configured — throws 500 (misconfiguration)
+ *   - Returns empty list; the UI shows a text input for the user to type their org slug
+ *
+ * Private/internal app:
+ *   - App JWT lists all installations (small, known set) → dropdown in UI
+ *
+ * Protected: requires an active session when any auth mode is enabled.
+ */
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig(event)
+  const isAuthRequired = config.public.requireAuth || config.public.usingGithubAuth || config.public.isPublicApp || !!config.public.authProviders
+
+  const session = await getUserSession(event)
+
+  if (isAuthRequired && !session?.user) {
+    throw createError({ statusCode: 401, statusMessage: 'Unauthorized' })
+  }
+
+  setResponseHeaders(event, { 'Cache-Control': 'private, no-store' })
+
+  if (config.public.isPublicApp) {
+    // A private key with a public/marketplace app is a misconfiguration: the App JWT
+    // can mint tokens for every org that installed it, bypassing per-user access control.
+    if (config.githubAppPrivateKey) {
+      throw createError({
+        statusCode: 500,
+        statusMessage:
+          'Misconfiguration: NUXT_GITHUB_APP_PRIVATE_KEY must not be set when ' +
+          'NUXT_PUBLIC_IS_PUBLIC_APP=true. Remove the private key or disable isPublicApp.'
+      })
+    }
+
+    // In public app mode the user types their org slug directly — no server-side enumeration.
+    return { installations: [] }
+  }
+
+  // Private/internal app: list all installations via App JWT.
+  const appId = config.githubAppId || config.oauth?.github?.clientId || ''
+  if (appId && config.githubAppPrivateKey) {
+    try {
+      const installations = await listAppInstallations(appId, config.githubAppPrivateKey)
+      return { installations: installations.map(i => ({ login: i.login, type: i.type })) }
+    } catch {
+      // JWT auth failed or network error — fall through to empty list so the UI
+      // shows a text input instead of a broken dropdown.
+    }
+  }
+
+  // No installations available — UI will show a text input.
+  return { installations: [] }
+})
diff --git a/server/middleware/github.ts b/server/middleware/github.ts
index d9944bdc..80207863 100644
--- a/server/middleware/github.ts
+++ b/server/middleware/github.ts
@@ -22,11 +22,20 @@ export default defineEventHandler(async (event) => {
     const url = event.node.req.url || '';
 
     const healthCheckPaths = ['/api/health', '/api/live', '/api/ready'];
-    // Skip authentication for non-API routes, health checks, auth session, and AI chat (uses its own token)
-    if (!url.startsWith('/api/') || healthCheckPaths.includes(url) || url.startsWith('/api/_auth/') || url.startsWith('/api/ai/')) {
+    // Skip authentication for non-API routes, health checks, auth session, AI chat, and org picker
+    if (!url.startsWith('/api/') || healthCheckPaths.includes(url) || url.startsWith('/api/_auth/') || url.startsWith('/api/ai/') || url.startsWith('/api/installations')) {
         return;
     }
 
+    // When OAuth mode is enabled, require a valid user session for all API calls
+    const requireAuth = config.public.requireAuth || config.public.usingGithubAuth || config.public.isPublicApp || !!config.public.authProviders;
+    if (requireAuth) {
+        const session = await getUserSession(event).catch(() => null);
+        if (!session?.user) {
+            throw createError({ statusCode: 401, statusMessage: 'Unauthorized' });
+        }
+    }
+
     // When historical mode is enabled, metrics come from DB — auth is optional
     // (the handler will request auth only if it needs to sync from the API)
     const historicalMode = process.env.ENABLE_HISTORICAL_MODE === 'true';
diff --git a/server/modules/authentication.ts b/server/modules/authentication.ts
index c8ac2936..70a80cb5 100644
--- a/server/modules/authentication.ts
+++ b/server/modules/authentication.ts
@@ -1,20 +1,19 @@
 import type { H3Event, EventHandlerRequest } from 'h3'
+import { buildGitHubAppHeaders } from './github-app-auth'
 
 // https://www.telerik.com/blogs/implementing-sso-vue-nuxt-auth-github-comprehensive-guide
 
 /**
  * Authenticates the user and retrieves GitHub headers.
- * 
- * This function checks if the data is mocked or if a GitHub token is available in the configuration.
- * If neither is available, it requires a user session to obtain a token.
- * 
+ *
+ * Priority order:
+ * 1. Mock data — returns a placeholder token
+ * 2. GitHub App (NUXT_GITHUB_APP_ID + private key + installation ID) — generates an installation token; works with any OAuth provider
+ * 3. Personal Access Token (NUXT_GITHUB_TOKEN) — legacy / simplest setup
+ * 4. User's GitHub OAuth token — stored in session after GitHub OAuth login
+ *
  * @param {H3Event<EventHandlerRequest>} event - The event object containing the request details.
  * @returns {Promise<Headers>} A promise that resolves to the GitHub headers.
- * 
- * @example
- * const headers = await authenticateAndGetGitHubHeaders(event);
- * 
- * @see https://nuxt.com/docs/guide/recipes/sessions-and-authentication
  */
 export async function authenticateAndGetGitHubHeaders(event: H3Event<EventHandlerRequest>): Promise<Headers> {
     const config = useRuntimeConfig(event);
@@ -24,20 +23,25 @@ export async function authenticateAndGetGitHubHeaders(event: H3Event<EventHandle
     const dataMocked = query.mock || query.isDataMocked || false;
 
     if (config.public.isDataMocked || dataMocked) {
-        // when data is mocked, we still need to have a token, but it's not used for real API calls
         return buildHeaders('mock-token');
     }
+
+    // GitHub App installation token (preferred for decoupled auth — no PAT needed)
+    // Accept numeric App ID (NUXT_GITHUB_APP_ID) or OAuth Client ID (NUXT_OAUTH_GITHUB_CLIENT_ID) as the JWT issuer
+    const githubAppId = config.githubAppId || config.oauth?.github?.clientId
+    if (githubAppId && config.githubAppPrivateKey) {
+        return await buildGitHubAppHeaders(event);
+    }
+
+    // Personal Access Token
     if (config.githubToken) {
         return buildHeaders(config.githubToken);
     }
 
-    // https://nuxt.com/docs/guide/recipes/sessions-and-authentication
+    // User's own GitHub OAuth token (GitHub OAuth login only)
     const { secure } = await getUserSession(event);
 
-    // check if token is expired and get new one
     if (secure?.expires_at && secure.expires_at < new Date(Date.now() - 30 * 1000)) {
-        // Token is expired or about to expire within 30 seconds
-        // we could refresh but unlikely dashboard is used for long periods
         return buildHeaders('');
     }
 
@@ -47,12 +51,10 @@ export async function authenticateAndGetGitHubHeaders(event: H3Event<EventHandle
 function buildHeaders(token: string): Headers {
     if (!token) {
         throw new Error(
-            `Authentication required but not provided.
-            This can happen when:
-            1. First call to the API when client checks if user is authenticated - /api/_auth/session.
-            2. When App is not configured correctly:
-             - For PAT, set NUXT_GITHUB_TOKEN environment variable.
-             - For GitHub Auth - ensure NUXT_PUBLIC_USING_GITHUB_AUTH is set to true, NUXT_OAUTH_GITHUB_CLIENT_ID and NUXT_OAUTH_GITHUB_CLIENT_SECRET are provided and user is authenticated.`);
+            `Authentication required but not provided. Configure one of:
+             1. GitHub App: set NUXT_GITHUB_APP_PRIVATE_KEY + NUXT_OAUTH_GITHUB_CLIENT_ID (or NUXT_GITHUB_APP_ID)
+             2. PAT: set NUXT_GITHUB_TOKEN
+             3. GitHub OAuth: set NUXT_PUBLIC_USING_GITHUB_AUTH=true with client ID/secret`);
     }
 
     return new Headers({
@@ -61,3 +63,4 @@ function buildHeaders(token: string): Headers {
         Authorization: `token ${token}`
     });
 }
+
diff --git a/server/modules/github-app-auth.ts b/server/modules/github-app-auth.ts
new file mode 100644
index 00000000..890b3ec3
--- /dev/null
+++ b/server/modules/github-app-auth.ts
@@ -0,0 +1,207 @@
+import { createPrivateKey, createSign } from 'node:crypto'
+import type { H3Event, EventHandlerRequest } from 'h3'
+
+const TOKEN_EXPIRY_BUFFER_SECONDS = 300 // refresh 5 min before expiry
+const INSTALLATIONS_CACHE_TTL_SECONDS = 300 // re-list installations every 5 min
+
+export interface AppInstallation {
+  id: number
+  login: string
+  type: 'Organization' | 'User'
+}
+
+// Per-installation token cache keyed by installation ID
+const tokenCache = new Map<number, { token: string; expiresAt: number }>()
+// In-flight token requests to prevent thundering herd per installation
+const tokenInflight = new Map<number, Promise<{ token: string; expiresAt: number }>>()
+
+// Cached installation list
+let installationsCache: { list: AppInstallation[]; cachedAt: number } | null = null
+let installationsInflight: Promise<AppInstallation[]> | null = null
+
+// ── Crypto helpers ─────────────────────────────────────────────────────────────
+
+/** Base64url-encode a buffer. */
+function b64url(buf: Buffer): string {
+  return buf.toString('base64url')
+}
+
+/** Normalise a PEM key that may use literal \n instead of real newlines. */
+function normalisePem(pem: string): string {
+  return pem.replace(/\\n/g, '\n')
+}
+
+/**
+ * Sign a compact JWT (RS256) using Node's built-in crypto.
+ * Handles PKCS#1 ("BEGIN RSA PRIVATE KEY") and PKCS#8 ("BEGIN PRIVATE KEY"),
+ * and both real-newline and \n-escaped PEM strings.
+ */
+function signJWT(payload: Record<string, unknown>, privateKeyPem: string): string {
+  const header = b64url(Buffer.from(JSON.stringify({ alg: 'RS256', typ: 'JWT' })))
+  const body = b64url(Buffer.from(JSON.stringify(payload)))
+  const signingInput = `${header}.${body}`
+
+  const key = createPrivateKey({ key: normalisePem(privateKeyPem), format: 'pem' })
+  const sign = createSign('RSA-SHA256')
+  sign.update(signingInput)
+  const sig = sign.sign(key)
+  return `${signingInput}.${b64url(sig)}`
+}
+
+/** Build a short-lived JWT for GitHub App API calls. */
+function buildAppJwt(appId: string, privateKey: string): string {
+  const now = Math.floor(Date.now() / 1000)
+  console.log(`[github-app-auth] Building JWT with App ID ${appId}`)
+  try {
+    return signJWT({ iss: appId, iat: now - 10, exp: now + 600 }, privateKey)
+  } catch (err: unknown) {
+    const msg = err instanceof Error ? err.message : String(err)
+    throw new Error(`Failed to sign GitHub App JWT: ${msg}. Check NUXT_GITHUB_APP_PRIVATE_KEY is a valid PEM-encoded RSA private key.`)
+  }
+}
+
+// ── Installation listing ───────────────────────────────────────────────────────
+
+/**
+ * List all orgs/users the GitHub App is installed on.
+ * Paginates through all results and caches for INSTALLATIONS_CACHE_TTL_SECONDS.
+ */
+export async function listAppInstallations(appId: string, privateKey: string): Promise<AppInstallation[]> {
+  const now = Math.floor(Date.now() / 1000)
+  if (installationsCache && now - installationsCache.cachedAt < INSTALLATIONS_CACHE_TTL_SECONDS) {
+    return installationsCache.list
+  }
+
+  // Dedupe concurrent calls
+  if (installationsInflight) return installationsInflight
+
+  installationsInflight = (async () => {
+    try {
+      const jwt = await buildAppJwt(appId, privateKey)
+      const all: AppInstallation[] = []
+      let page = 1
+
+      while (true) {
+        const page_items = await $fetch<Array<{ id: number; account: { login: string; type: string } }>>(
+          `https://api.github.com/app/installations?per_page=100&page=${page}`,
+          {
+            headers: {
+              Accept: 'application/vnd.github+json',
+              Authorization: `Bearer ${jwt}`,
+              'X-GitHub-Api-Version': '2022-11-28',
+              'User-Agent': 'copilot-metrics-viewer'
+            }
+          }
+        )
+        for (const item of page_items) {
+          all.push({ id: item.id, login: item.account.login, type: item.account.type as AppInstallation['type'] })
+        }
+        if (page_items.length < 100) break
+        page++
+      }
+
+      installationsCache = { list: all, cachedAt: Math.floor(Date.now() / 1000) }
+      return all
+    } finally {
+      installationsInflight = null
+    }
+  })()
+
+  return installationsInflight
+}
+
+// ── Installation token ─────────────────────────────────────────────────────────
+
+async function fetchInstallationToken(jwt: string, installationId: number): Promise<{ token: string; expiresAt: number }> {
+  const response = await $fetch<{ token: string; expires_at: string }>(
+    `https://api.github.com/app/installations/${installationId}/access_tokens`,
+    {
+      method: 'POST',
+      headers: {
+        Accept: 'application/vnd.github+json',
+        Authorization: `Bearer ${jwt}`,
+        'X-GitHub-Api-Version': '2022-11-28',
+        'User-Agent': 'copilot-metrics-viewer'
+      }
+    }
+  )
+  return { token: response.token, expiresAt: Math.floor(new Date(response.expires_at).getTime() / 1000) }
+}
+
+/**
+ * Return a valid installation token for the given org.
+ * Caches per installation ID and dedupes concurrent refreshes.
+ */
+async function getTokenForInstallation(appId: string, privateKey: string, installationId: number): Promise<string> {
+  const now = Math.floor(Date.now() / 1000)
+  const cached = tokenCache.get(installationId)
+  if (cached && cached.expiresAt > now + TOKEN_EXPIRY_BUFFER_SECONDS) {
+    return cached.token
+  }
+
+  // Dedupe concurrent refresh for the same installation
+  let inflight = tokenInflight.get(installationId)
+  if (!inflight) {
+    inflight = (async () => {
+      const jwt = buildAppJwt(appId, privateKey)
+      const result = await fetchInstallationToken(jwt, installationId)
+      tokenCache.set(installationId, result)
+      tokenInflight.delete(installationId)
+      return result
+    })()
+    tokenInflight.set(installationId, inflight)
+  }
+
+  return (await inflight).token
+}
+
+// ── Public API ─────────────────────────────────────────────────────────────────
+
+/**
+ * Return a valid GitHub App installation token for the org/enterprise in the request.
+ *
+ * Org resolution order:
+ *   1. githubOrg query param  2. githubEnt query param
+ *   3. NUXT_PUBLIC_GITHUB_ORG config  4. NUXT_PUBLIC_GITHUB_ENT config
+ *   5. Single installation auto-select
+ */
+export async function getGitHubAppToken(event: H3Event<EventHandlerRequest>): Promise<string> {
+  const config = useRuntimeConfig(event)
+  const { githubAppPrivateKey } = config
+  // Accept numeric App ID (NUXT_GITHUB_APP_ID) or OAuth Client ID (NUXT_OAUTH_GITHUB_CLIENT_ID) as the JWT issuer
+  const githubAppId = config.githubAppId || config.oauth?.github?.clientId
+
+  if (!githubAppId || !githubAppPrivateKey) {
+    throw new Error('GitHub App configuration incomplete. Set NUXT_GITHUB_APP_PRIVATE_KEY and NUXT_GITHUB_APP_ID (or NUXT_OAUTH_GITHUB_CLIENT_ID).')
+  }
+
+  const query = getQuery(event)
+  const targetOrg = (query.githubOrg || query.githubEnt || config.public.githubOrg || config.public.githubEnt) as string | undefined
+
+  const installations = await listAppInstallations(githubAppId, githubAppPrivateKey)
+
+  let installation: AppInstallation | undefined
+  if (targetOrg) {
+    installation = installations.find(i => i.login.toLowerCase() === targetOrg.toLowerCase())
+    if (!installation) {
+      throw new Error(`GitHub App is not installed on org/enterprise "${targetOrg}". Available: ${installations.map(i => i.login).join(', ')}`)
+    }
+  } else if (installations.length === 1) {
+    installation = installations[0]
+  } else if (installations.length === 0) {
+    throw new Error('GitHub App has no installations. Install the App on your org first.')
+  } else {
+    throw new Error('Multiple GitHub App installations found. Set NUXT_PUBLIC_GITHUB_ORG or navigate to a specific org URL.')
+  }
+
+  return getTokenForInstallation(githubAppId, githubAppPrivateKey, installation.id)
+}
+
+export async function buildGitHubAppHeaders(event: H3Event<EventHandlerRequest>): Promise<Headers> {
+  const token = await getGitHubAppToken(event)
+  return new Headers({
+    Accept: 'application/vnd.github+json',
+    'X-GitHub-Api-Version': '2022-11-28',
+    Authorization: `token ${token}`
+  })
+}
diff --git a/server/routes/auth/auth0.get.ts b/server/routes/auth/auth0.get.ts
new file mode 100644
index 00000000..dd008e4e
--- /dev/null
+++ b/server/routes/auth/auth0.get.ts
@@ -0,0 +1,24 @@
+export default defineOAuthAuth0EventHandler({
+  async onSuccess(event, { user }) {
+    const email: string = user.email || ''
+    if (!isUserAuthorized(event, { login: user.nickname, email })) {
+      throw createError({ statusCode: 403, statusMessage: 'Access denied' })
+    }
+
+    await setUserSession(event, {
+      user: {
+        login: user.nickname || email,
+        name: user.name,
+        avatarUrl: user.picture
+      }
+    })
+
+    const config = useRuntimeConfig(event)
+    const defaultOrg = config.public.githubOrg || config.public.githubEnt
+    return sendRedirect(event, defaultOrg ? '/' : '/select-org')
+  },
+  onError(event, error) {
+    console.error('Auth0 OAuth error:', error)
+    return sendRedirect(event, '/')
+  }
+})
diff --git a/server/routes/auth/github.get.ts b/server/routes/auth/github.get.ts
index 1c98af8c..b26c96d3 100644
--- a/server/routes/auth/github.get.ts
+++ b/server/routes/auth/github.get.ts
@@ -1,15 +1,22 @@
-import type FetchError from 'ofetch';
-
 export default defineOAuthGitHubEventHandler({
   config: {
-    scope: process.env.NUXT_OAUTH_GITHUB_CLIENT_SCOPE ? process.env.NUXT_OAUTH_GITHUB_CLIENT_SCOPE.split(',') : undefined,
+    // Default to read:user so the authorize URL is never built with an empty scope= param (GitHub returns 404).
+    // Override via NUXT_OAUTH_GITHUB_CLIENT_SCOPE (comma-separated) when additional scopes are needed.
+    scope: process.env.NUXT_OAUTH_GITHUB_CLIENT_SCOPE
+      ? process.env.NUXT_OAUTH_GITHUB_CLIENT_SCOPE.split(',')
+      : ['read:user'],
   },
   async onSuccess(event, { user, tokens }) {
     const config = useRuntimeConfig(event);
-    const logger = console;
+
+    // Authorize before creating a session
+    if (!isUserAuthorized(event, { login: user.login, email: user.email })) {
+      throw createError({ statusCode: 403, statusMessage: 'Access denied' })
+    }
 
     await setUserSession(event, {
       user: {
+        login: user.login,
         githubId: user.id,
         name: user.name,
         avatarUrl: user.avatar_url
@@ -18,41 +25,14 @@ export default defineOAuthGitHubEventHandler({
         tokens,
         expires_at: new Date(Date.now() + tokens.expires_in * 1000)
       }
-    }
-    )
-
-    // need to check if this is public app (no default org/team/ent)
-    if (config.public.isPublicApp) {
-      try {
-        const installationsResponse = await $fetch('https://api.github.com/user/installations', {
-          headers: {
-            Authorization: `token ${tokens.access_token}`,
-            Accept: 'application/vnd.github+json',
-            'X-GitHub-Api-Version': '2022-11-28'
-          }
-        }) as { installations: Array<{ account: { login: string } }> };
-
-        const installations = installationsResponse.installations;
-        const organizations = installations.map(installation => installation.account.login);
-
-        await setUserSession(event, {
-          organizations
-        });
-        logger.info('User organizations:', organizations);
-
-        if (organizations.length === 0) {
-          console.error('No organizations found for the user.');
-          return sendRedirect(event, '/?error=No organizations found for the user.');
-        }
-
-        return sendRedirect(event, `/orgs/${organizations[0]}`);
-      }
-      catch (error: FetchError) {
-        logger.error('Error fetching installations:', error);
-      }
-    }
-
-    return sendRedirect(event, '/')
+    })
+
+    // If a default org/ent is pinned via env var, go straight to the home page.
+    // Otherwise go to the org picker — /api/installations will use the App JWT (private app)
+    // or the user's token (public app) to build the correct list, regardless of whether the
+    // logged-in GitHub user is personally a member of the org.
+    const defaultOrg = config.public.githubOrg || config.public.githubEnt
+    return sendRedirect(event, defaultOrg ? '/' : '/select-org')
   },
   // Optional, will return a json error and 401 status code by default
   onError(event, error) {
diff --git a/server/routes/auth/google.get.ts b/server/routes/auth/google.get.ts
new file mode 100644
index 00000000..f00d206b
--- /dev/null
+++ b/server/routes/auth/google.get.ts
@@ -0,0 +1,28 @@
+export default defineOAuthGoogleEventHandler({
+  async onSuccess(event, { user }) {
+    if (!isUserAuthorized(event, { email: user.email })) {
+      throw createError({ statusCode: 403, statusMessage: 'Access denied' })
+    }
+
+    await setUserSession(event, {
+      user: {
+        login: user.email,
+        name: user.name,
+        avatarUrl: user.picture
+      }
+    })
+
+    // If no default org is configured, let the user pick via the org picker
+    const config = useRuntimeConfig(event)
+    const defaultOrg = config.public.githubOrg || config.public.githubEnt
+    if (!defaultOrg) {
+      return sendRedirect(event, '/select-org')
+    }
+
+    return sendRedirect(event, '/')
+  },
+  onError(event, error) {
+    console.error('Google OAuth error:', error)
+    return sendRedirect(event, '/')
+  }
+})
diff --git a/server/routes/auth/keycloak.get.ts b/server/routes/auth/keycloak.get.ts
new file mode 100644
index 00000000..8477d6c9
--- /dev/null
+++ b/server/routes/auth/keycloak.get.ts
@@ -0,0 +1,24 @@
+export default defineOAuthKeycloakEventHandler({
+  async onSuccess(event, { user }) {
+    const email: string = user.email || ''
+    if (!isUserAuthorized(event, { login: user.preferred_username, email })) {
+      throw createError({ statusCode: 403, statusMessage: 'Access denied' })
+    }
+
+    await setUserSession(event, {
+      user: {
+        login: user.preferred_username || email,
+        name: user.name,
+        avatarUrl: undefined
+      }
+    })
+
+    const config = useRuntimeConfig(event)
+    const defaultOrg = config.public.githubOrg || config.public.githubEnt
+    return sendRedirect(event, defaultOrg ? '/' : '/select-org')
+  },
+  onError(event, error) {
+    console.error('Keycloak OAuth error:', error)
+    return sendRedirect(event, '/')
+  }
+})
diff --git a/server/routes/auth/microsoft.get.ts b/server/routes/auth/microsoft.get.ts
new file mode 100644
index 00000000..d5596475
--- /dev/null
+++ b/server/routes/auth/microsoft.get.ts
@@ -0,0 +1,24 @@
+export default defineOAuthMicrosoftEventHandler({
+  async onSuccess(event, { user }) {
+    const email: string = user.mail || user.userPrincipalName || ''
+    if (!isUserAuthorized(event, { email })) {
+      throw createError({ statusCode: 403, statusMessage: 'Access denied' })
+    }
+
+    await setUserSession(event, {
+      user: {
+        login: email,
+        name: user.displayName,
+        avatarUrl: undefined
+      }
+    })
+
+    const config = useRuntimeConfig(event)
+    const defaultOrg = config.public.githubOrg || config.public.githubEnt
+    return sendRedirect(event, defaultOrg ? '/' : '/select-org')
+  },
+  onError(event, error) {
+    console.error('Microsoft OAuth error:', error)
+    return sendRedirect(event, '/')
+  }
+})
diff --git a/server/utils/authorization.ts b/server/utils/authorization.ts
new file mode 100644
index 00000000..d6c076a3
--- /dev/null
+++ b/server/utils/authorization.ts
@@ -0,0 +1,83 @@
+/**
+ * Shared user authorization for OAuth handlers.
+ *
+ * Checks the authenticated user against two optional env-var-based allowlists
+ * before a session is created. When neither list is set, all authenticated users
+ * are allowed (i.e., provider-level restrictions — Microsoft tenant, etc. — are
+ * the only gate).
+ *
+ * Env vars (set in .env or container environment):
+ *  - NUXT_AUTHORIZED_USERS         comma-separated GitHub logins or email addresses
+ *  - NUXT_AUTHORIZED_EMAIL_DOMAINS comma-separated domains, e.g. "company.com,corp.org"
+ */
+
+export interface AuthorizedIdentity {
+  /** GitHub login or generic username (lowercase for comparison) */
+  login?: string
+  /** Email address (lowercase for comparison) */
+  email?: string
+}
+
+/**
+ * Pure authorization check — accepts explicit allowlist strings so it can be
+ * tested without mocking Nuxt runtime config.
+ *
+ * @param identity    The authenticated user's login and/or email
+ * @param authorizedUsers         Comma-separated login/email allowlist (empty = no restriction)
+ * @param authorizedEmailDomains  Comma-separated domain allowlist (empty = no restriction)
+ */
+export function checkAuthorization(
+  identity: AuthorizedIdentity,
+  authorizedUsers: string,
+  authorizedEmailDomains: string
+): boolean {
+  // When both lists are empty → open to all authenticated users
+  if (!authorizedUsers && !authorizedEmailDomains) {
+    return true
+  }
+
+  const login = identity.login?.toLowerCase()
+  const email = identity.email?.toLowerCase()
+
+  // Check explicit user/email list
+  if (authorizedUsers) {
+    const allowed = authorizedUsers
+      .split(',')
+      .map(s => s.trim().toLowerCase())
+      .filter(Boolean)
+    if ((login && allowed.includes(login)) || (email && allowed.includes(email))) {
+      return true
+    }
+  }
+
+  // Check email domain allowlist
+  if (authorizedEmailDomains && email) {
+    const domains = authorizedEmailDomains
+      .split(',')
+      .map(s => s.trim().toLowerCase().replace(/^@/, ''))
+      .filter(Boolean)
+    if (domains.some(d => email.endsWith(`@${d}`))) {
+      return true
+    }
+  }
+
+  return false
+}
+
+/**
+ * Returns true when the identity is allowed to access the application.
+ * Reads allowlists from Nuxt runtime config (NUXT_AUTHORIZED_USERS and
+ * NUXT_AUTHORIZED_EMAIL_DOMAINS env vars).
+ *
+ * Call this in every OAuth handler's `onSuccess` callback **before** calling
+ * `setUserSession`, so unauthorized users never receive a session cookie.
+ */
+export function isUserAuthorized(
+  event: Parameters<typeof useRuntimeConfig>[0],
+  identity: AuthorizedIdentity
+): boolean {
+  const config = useRuntimeConfig(event)
+  const authorizedUsers = (config.authorizedUsers as string | undefined) ?? ''
+  const authorizedEmailDomains = (config.authorizedEmailDomains as string | undefined) ?? ''
+  return checkAuthorization(identity, authorizedUsers, authorizedEmailDomains)
+}
diff --git a/tests/authorization.spec.ts b/tests/authorization.spec.ts
new file mode 100644
index 00000000..4a596478
--- /dev/null
+++ b/tests/authorization.spec.ts
@@ -0,0 +1,92 @@
+import { describe, it, expect } from 'vitest'
+import { checkAuthorization } from '../server/utils/authorization'
+
+describe('checkAuthorization', () => {
+  describe('when no restrictions are configured', () => {
+    it('allows any user with a login', () => {
+      expect(checkAuthorization({ login: 'anyone' }, '', '')).toBe(true)
+    })
+
+    it('allows any user with an email', () => {
+      expect(checkAuthorization({ email: 'user@random.com' }, '', '')).toBe(true)
+    })
+
+    it('allows user with no identity info', () => {
+      expect(checkAuthorization({}, '', '')).toBe(true)
+    })
+  })
+
+  describe('NUXT_AUTHORIZED_USERS (login / email list)', () => {
+    const users = 'alice, bob, charlie@company.com'
+
+    it('allows a user by exact login match', () => {
+      expect(checkAuthorization({ login: 'alice' }, users, '')).toBe(true)
+    })
+
+    it('allows a user by login match (case-insensitive)', () => {
+      expect(checkAuthorization({ login: 'ALICE' }, users, '')).toBe(true)
+    })
+
+    it('allows a user by email match', () => {
+      expect(checkAuthorization({ email: 'charlie@company.com' }, users, '')).toBe(true)
+    })
+
+    it('allows a user by email match (case-insensitive)', () => {
+      expect(checkAuthorization({ email: 'CHARLIE@COMPANY.COM' }, users, '')).toBe(true)
+    })
+
+    it('denies a user not in the list', () => {
+      expect(checkAuthorization({ login: 'dave' }, users, '')).toBe(false)
+    })
+
+    it('denies a user with unknown email', () => {
+      expect(checkAuthorization({ email: 'unknown@other.com' }, users, '')).toBe(false)
+    })
+
+    it('denies a user with neither login nor email', () => {
+      expect(checkAuthorization({}, users, '')).toBe(false)
+    })
+  })
+
+  describe('NUXT_AUTHORIZED_EMAIL_DOMAINS', () => {
+    const domains = 'company.com, corp.org'
+
+    it('allows a user whose email matches the domain', () => {
+      expect(checkAuthorization({ email: 'alice@company.com' }, '', domains)).toBe(true)
+    })
+
+    it('allows a user matching the second listed domain', () => {
+      expect(checkAuthorization({ email: 'bob@corp.org' }, '', domains)).toBe(true)
+    })
+
+    it('allows domain match with leading @ in config (defensive)', () => {
+      expect(checkAuthorization({ email: 'user@company.com' }, '', '@company.com')).toBe(true)
+    })
+
+    it('denies a user from an unlisted domain', () => {
+      expect(checkAuthorization({ email: 'eve@evil.com' }, '', domains)).toBe(false)
+    })
+
+    it('denies a user with no email when domain list is set', () => {
+      expect(checkAuthorization({ login: 'alice' }, '', domains)).toBe(false)
+    })
+  })
+
+  describe('combined NUXT_AUTHORIZED_USERS + NUXT_AUTHORIZED_EMAIL_DOMAINS', () => {
+    const users = 'admin'
+    const domains = 'company.com'
+
+    it('allows an explicitly listed user', () => {
+      expect(checkAuthorization({ login: 'admin' }, users, domains)).toBe(true)
+    })
+
+    it('allows a user from the allowed domain', () => {
+      expect(checkAuthorization({ email: 'alice@company.com' }, users, domains)).toBe(true)
+    })
+
+    it('denies a user who matches neither rule', () => {
+      expect(checkAuthorization({ login: 'eve', email: 'eve@other.com' }, users, domains)).toBe(false)
+    })
+  })
+})
+