Vyasa security is route-aware rather than content-export oriented: the live app decides whether a request should pass, redirect to login, or stop with 403 before the page is rendered. The core checks are assembled in make_user_auth_before(), with config coming from VyasaConfig.get_google_oauth() and VyasaConfig.get_rbac(). This guide is about how to think about auth in a live Vyasa site, not how to build a generic identity system. The important distinction is between "who may log in" and "which paths those people may read."