Skip to main content

Authentication Methods

Sorcia supports multiple authentication methods:

Email & Password

  • Hashing: bcrypt with salt
  • Minimum length: 8 characters
  • Complexity: Enforced in UI
  • Breached passwords: Checked against known breaches
  • Time-limited: 1-hour expiration
  • Single-use: Cannot be reused
  • Signed: HMAC signature verification

OAuth (Enterprise)

  • Google - Workspace accounts
  • Microsoft - Azure AD
  • GitHub - Organization SSO

SAML/OIDC (Enterprise)

  • Custom IdP - Your identity provider
  • Just-in-Time - Auto-provision users
  • Group Mapping - Sync permission groups

Session Management

JWT Tokens

{
  user_id: "user_123",
  org_id: "org_abc",
  role: "admin",
  exp: 1234567890, // 1 hour
  iat: 1234564290
}
Properties:
  • Expiration: 1 hour
  • Refresh: Via refresh token
  • Revocation: Token blacklist
  • Storage: httpOnly cookies (web)

Refresh Tokens

  • Long-lived: 30 days
  • Rotation: New token on each use
  • Revokable: Can be invalidated

Multi-Factor Authentication (MFA)

Enable MFA for enhanced security:
1

Enable in Settings

Settings → Security → Enable MFA
2

Choose Method

  • Authenticator app (TOTP)
  • SMS (Enterprise)
  • Hardware key (Enterprise)
3

Scan QR Code

Use app like Google Authenticator
4

Verify

Enter 6-digit code
Save backup codes in case you lose access to your MFA device.

API Authentication

API Keys

curl https://api.sorcia.ai/api/query \
  -H "X-API-Key: sk_live_abc123..."
Security:
  • SHA-256 hashed
  • Prefix identifies environment
  • Can be revoked anytime

Bearer Tokens

curl https://api.sorcia.ai/api/query \
  -H "Authorization: Bearer eyJhbGc..."
Security:
  • JWT with signature verification
  • Short-lived (1 hour)
  • Automatic refresh

Security Best Practices

  • Minimum 12 characters
  • Mix of uppercase, lowercase, numbers, symbols
  • Unique to Sorcia (not reused)
  • Required for admins and owners
  • Recommended for all users
  • Use authenticator app, not SMS
  • Rotate quarterly
  • Rotate after team member departure
  • Never commit to version control
  • Review active sessions regularly
  • Revoke unknown sessions
  • Log out from shared devices

Session Security

Active Sessions

View and manage: SettingsSecurityActive Sessions Each session shows:
  • Device/browser
  • Location (IP-based)
  • Last activity
  • Revoke option

Automatic Logout

Sessions automatically expire:
  • Inactivity: 7 days
  • Absolute: 30 days
  • Token expiry: 1 hour (refresh extends)

Password Security

Password Requirements

  • Minimum 8 characters
  • At least one uppercase letter
  • At least one number
  • Cannot be common password
  • Cannot be in breach database

Password Reset

1

Request Reset

Click “Forgot Password” on login
2

Receive Email

Check email for reset link
3

Create New Password

Enter new password (meets requirements)
4

Verify

Log in with new password
Security:
  • Reset links expire in 1 hour
  • Previous password cannot be reused
  • All sessions invalidated on reset

Next Steps

Row-Level Security

Learn about database security