Sign Up & Sign In
Vygl supports email/password sign-in plus four SSO providers. On first SSO sign-in (when self-service signup is enabled), a new organization is created automatically; if an account with the same email already exists, the SSO login links to it. GitHub additionally requires the email to be a verified primary; the other providers trust whatever the IdP returns.
Sign-in methods
Section titled “Sign-in methods”The default sign-in method. Visit /login, enter your email and password, and you’re in. The login endpoint enforces a rate limit (10 attempts per IP per 15 minutes) to deter brute force; the password-reset endpoint applies a tighter 5-attempt window to discourage probing.
If you’ve forgotten your password, click Forgot Password — Vygl emails a reset token valid for 15 minutes. The reset endpoint returns 200 regardless of whether the email exists, so it’s safe against account-enumeration probes.
Sign in with any Google account. Vygl requests the standard OpenID profile and email scopes. On first sign-in, your name, email, and profile picture are imported automatically.
Sign in with Microsoft Entra ID (formerly Azure AD). Uses OpenID Connect — Vygl validates the signed id_token against Microsoft’s published key set rather than trusting the access token. The Entra tenant can be restricted to a single directory or left open to any Entra directory.
Scopes: openid profile email.
Sign in with your GitHub account. Vygl requests the user:email scope to read your verified primary email. This is separate from the GitHub App installed for repository scanning — sign-in just identifies you as a user.
Sign in with your GitLab.com or self-hosted GitLab account. Scopes: read_user. As with GitHub, this is separate from the GitLab integration installed for repository access.
Session model
Section titled “Session model”After sign-in, Vygl issues a JWT access token (30 minutes) backed by a refresh token (7 days). The browser refreshes transparently in the background; there’s no manual token handling for end users. Tokens are stateless JWTs — sign-out happens client-side by discarding them.
Organizations
Section titled “Organizations”Every user belongs to one or more organizations. The first time you sign in, an org is created for you; if you accept an invite from an existing org, you join that org instead. Switch between orgs with the dropdown in the top nav — no re-authentication needed.
For more on organization structure, see Members & Roles.
Self-service signup
Section titled “Self-service signup”Self-service signup is disabled in production — accounts are created via invitation. To get an account, ask an existing org owner or admin to invite you. The invite is one-time, expires in seven days, and includes the role you’ll have when you join.
Self-hosted Vygl instances can enable self-service signup via the SSO_ALLOW_REGISTRATION setting at deployment time.