Google-first access
Sign in on the front end, then hand the token to Cloud Run.
This page now follows the simpler docs-site pattern: Firebase browser auth first, Cloud Run session cookie second. The protected backend only gets involved after Google sign-in succeeds.
Approved Google accounts are still checked by the server before workspace access is granted. Standard email/password remains staged and disabled until you intentionally open it.