Auth Policy
Overview
Section titled “Overview”Auth Policy controls how users authenticate and register for a specific application. Each application has its own independent policy. Changes take effect immediately — no restart required.
Configuration Fields
Section titled “Configuration Fields”Allowed Providers
Section titled “Allowed Providers”Controls which authentication methods are available for this application.
Only providers that are configured globally (via .env) can be enabled.
Options: email, google, apple, github
If none are selected, all configured providers are allowed.
Signup Policy
Section titled “Signup Policy”Controls how users can create accounts in this application.
| Policy | Behavior |
|---|---|
open | Anyone can register. No restrictions. |
invite_only | Users must have a valid invitation to register. |
admin_approval | Registration is accepted but the user is placed in pending_approval state. An admin must approve the membership before the user can sign in. |
auto_on_first_access | Membership is created automatically when the user first accesses the application (e.g., via SSO). |
Email Domains
Section titled “Email Domains”| Field | Description |
|---|---|
| Allowed Domains | Only email addresses from these domains can register. Empty = all domains allowed. |
| Blocked Domains | Email addresses from these domains cannot register. |
Password Policy
Section titled “Password Policy”| Field | Default | Description |
|---|---|---|
| Min Length | 8 | Minimum password length |
| Require Uppercase | false | Require at least one uppercase letter |
| Require Symbol | false | Require at least one symbol |
| Expiry Days | null | Password expiration period (null = never expires) |
Session Policy
Section titled “Session Policy”| Field | Default | Description |
|---|---|---|
| TTL Hours | 168 (7 days) | How long a session lasts |
| Max Concurrent | null | Maximum simultaneous sessions per user |
| Idle Timeout | null | Session expires after this period of inactivity |
Other Settings
Section titled “Other Settings”| Field | Default | Description |
|---|---|---|
| Require Email Verification | false | Require email verification before allowing signin |
| Required Profile Fields | [] | Fields the user must provide during registration |
Application Scenarios
Section titled “Application Scenarios”B2C SaaS (open registration)
Section titled “B2C SaaS (open registration)”allowed_providers: [email, google]signup_policy: openallowed_email_domains: [] (all domains)Enterprise product (domain-restricted)
Section titled “Enterprise product (domain-restricted)”allowed_providers: [email, google]signup_policy: admin_approvalallowed_email_domains: [company.com]Invite-only product
Section titled “Invite-only product”allowed_providers: [email, google]signup_policy: invite_onlySuite member (auto-provisioned on first access)
Section titled “Suite member (auto-provisioned on first access)”allowed_providers: [email, google]signup_policy: auto_on_first_access