Authentication
This page covers how your agents sign in to the tenant app. ActionConnect supports email + password out of the box and optional single sign-on (SSO) with your own identity provider. For automatically importing accounts from Azure Entra ID, see Directory sync.
Email + password
Every organization starts with email-and-password sign-in:
- Passwords are stored only as a PBKDF2 hash (with a per-user salt) — never in plain text.
- Sessions are opaque server-side tokens; only the hash of a session token is stored, so a leaked database row cannot be replayed as a login.
- Signing out invalidates the session immediately.
Routes used by the app: /api/auth/login, /api/auth/me, /api/auth/logout.
Single sign-on (SSO)
If your organization uses an identity provider (Microsoft Entra, Google Workspace, Okta, or any OIDC-compliant IdP), you can let agents sign in through it. ActionConnect implements the OIDC authorization-code flow with PKCE and can just-in-time provision users on first login. See Tenant SSO for setup, enforcement, and JIT provisioning.
NOTE
SSO-only users have no password on their ActionConnect account — they exist solely as an identity linked to your IdP. You can mix password users and SSO users in the same organization, or enforce SSO so password login is disabled.
Choosing a model
| Model | Best for |
|---|---|
| Email + password | Small teams, or contractors outside your IdP. |
| SSO (OIDC + PKCE) | Organizations that centralize identity and want one set of credentials and offboarding. |
| SSO + directory sync | Larger organizations that also want accounts created and deactivated automatically from their directory. |
Related
- Tenant SSO — connect your IdP, enforce SSO, JIT provisioning.
- Directory sync — pull and reconcile users from Azure Entra ID.
- Users & roles — what each user can do once signed in.
- End-users (customers) do not use this; they sign in to the portal with a magic link.