OptionaluserOptionalapiapiKey plugin: a key carries its own permissions/scopes.
OptionalscopesOptionaltwotwoFactor plugin: the session has cleared its second factor ⇒ the mfa:verified scope (Phase 1).
Optionalorganizationsorganization plugin: memberships → org:<id>:<scope> scopes (Phase 1, tenancy via scope-encoding).
A minimal view of a Better Auth session (duck-typed; works with the real Session shape).