Login & Auth#

Login & Auth controls the login page, registration entry points, email verification, human verification, identity providers, and login security policy. It decides how users enter the platform and how sensitive security flows verify identity.

Entry Point#

Open Login & auth in the admin console. The page is organized into Login page, Login and registration, Human verification, Binding and verification, Login security, and OIDC / OAuth2 identity providers.

Before changing authentication settings, make sure at least one administrator can still sign in through an available method, so the admin console does not become inaccessible.

Login Page#

Login page settings control the browser tab title and the default destination after sign-in. The default next path is used when users visit /login without a next parameter.

If your deployment has a dedicated workspace home, Recent page, or admin entry, adjust the default path accordingly.

Login and Registration#

Login and registration settings control email sign-in, username sign-in, email registration, password reset, and third-party login.

SwitchEffect
Email sign-inAllows users to sign in with email and password.
Username sign-inAllows users to sign in with username and password.
Email registrationAllows users to create accounts with email.
Password resetAllows password reset from the login page, usually requiring email verification.
Third-party loginShows enabled OIDC / OAuth2 identity providers.

If both email and username sign-in are disabled, enable third-party login first and confirm administrators have a usable bound identity provider.

Email Verification#

When email verification is enabled, email registration, email changes, password reset, and some security operations depend on verification emails. Configure SMTP host, port, username, password, and sender before enabling it.

The registration domain allowlist restricts which email domains can register. Blocking plus aliases prevents + alias addresses from bypassing registration policy.

Human Verification#

Registration human verification uses Cloudflare Turnstile to reduce automated signups. It only affects email registration, not third-party login. Enable email registration first, then provide the Turnstile Site Key and Secret Key.

Identity Providers#

Third-party login supports custom OIDC and OAuth2 providers. Administrators can create, edit, reorder, enable or disable login control and registration control, and configure logo, client information, endpoints, scopes, and field mapping.

Login control decides whether existing accounts can sign in through the provider. Registration control decides whether the provider can create new accounts. Auto-link by verified email only links to an existing account when the provider returns a verified email.

Deleting a provider unlinks all accounts using it. If some accounts rely only on that provider, the UI warns about forced deletion. Confirm those users have passwords or another provider before deletion.

Login Security#

Login security controls access-token lifetime, refresh/session lifetime, failure lock threshold, lock duration, and platform HTTP 429 rate limiting.

Shorter session lifetime fits higher-security environments; longer lifetime fits trusted internal deployments. Failure lock protects against password spraying and brute force. Platform rate limiting limits high-frequency requests; coordinate it with gateway-level rate limiting if one already exists.

Practical Tips#

Configure at least two reliable administrator sign-in methods before opening registration or third-party login. After changing auth policy, test sign-in, registration, password reset, third-party binding, and re-login after logout with both admin and normal user accounts.

Setting Key Reference#

Login & Auth maps to auth.* settings. Check these real keys when updating configuration docs or deployment values.

GroupSetting Keys
Login pageauth.login_page_title, auth.login_default_next_path
Login and registrationauth.email_login_enabled, auth.email_registration_enabled, auth.password_reset_enabled, auth.username_login_enabled, auth.third_party_login_enabled
Turnstileauth.turnstile_registration_enabled, auth.turnstile_site_key, auth.turnstile_secret_key
Email verification and SMTPauth.email_verification_enabled, auth.smtp_host, auth.smtp_port, auth.smtp_username, auth.smtp_password, auth.smtp_from
Registration policyauth.email_registration_allowed_domains, auth.email_registration_block_plus_alias, auth.auto_link_verified_email
Login securityauth.token_ttl_hours, auth.refresh_token_ttl_hours, auth.login_max_failures, auth.login_lock_minutes, auth.rate_limit_enabled, auth.rate_limit_rpm, auth.public_auth_rate_limit_rpm

OIDC / OAuth2 providers are provider records rather than single auth.* keys. Their login and registration availability is controlled by each provider record.