setup supertokens auth to work at app.company.com domain and use header instead of cookies, config nextjs to accept client subdomains like app.client1.con and app.client2.com and update the middleware to verify/check the auth state, on unauthenticated redirect to main domain login (and save yourself of config multi callbacks url of each oauth/oidc for each client)