Sign Up & Sign In

Vygl supports email/password sign-in plus four SSO providers. On first SSO sign-in, a new organization is created automatically; if an account with the same verified email already exists, the SSO login links to it.

Sign-in methods

Email & Password

The default sign-in method. Visit /login, enter your email and password, and you’re in. The login endpoint enforces a rate limit (5 attempts per IP per 15 minutes) to deter brute force.

If you’ve forgotten your password, click Forgot Password — Vygl emails a reset token valid for seven days. The reset endpoint returns 200 regardless of whether the email exists, so it’s safe against account-enumeration probes.

Google

Sign in with any Google account. Vygl requests the standard OpenID profile and email scopes. On first sign-in, your name, email, and profile picture are imported automatically.

Microsoft Entra ID

Sign in with Microsoft Entra ID (formerly Azure AD). Uses OpenID Connect — Vygl validates the signed id_token against Microsoft’s published key set rather than trusting the access token. The Entra tenant can be restricted to a single directory or left open to any Entra directory.

Scopes: openid profile email.

GitHub

Sign in with your GitHub account. Vygl requests the user:email scope to read your verified primary email. This is separate from the GitHub App installed for repository scanning — sign-in just identifies you as a user.

GitLab

Sign in with your GitLab.com or self-hosted GitLab account. Scopes: read_user. As with GitHub, this is separate from the GitLab integration installed for repository access.

Session model

After sign-in, Vygl issues a short-lived JWT access token (15 minutes) backed by a refresh token (7 days). The browser refreshes transparently in the background; there’s no manual token handling for end users.

Refresh token rotation. Using an old refresh token automatically revokes the entire session — a security feature that limits exposure if a token is leaked. If you suddenly find yourself signed out everywhere, this is most likely why.

Organizations

Every user belongs to one or more organizations. The first time you sign in, an org is created for you; if you accept an invite from an existing org, you join that org instead. Switch between orgs with the dropdown in the top nav — no re-authentication needed.

For more on organization structure, see Members & Roles.

No MFA today

Multi-factor authentication for standard users is on the roadmap; it isn’t available yet. Superadmin MFA is tracked separately and applies to platform operators only.

Self-service signup

Self-service signup is disabled in production — accounts are created via invitation. To get an account, ask an existing org owner or admin to invite you. The invite is one-time, expires in seven days, and includes the role you’ll have when you join.

Self-hosted Vygl instances can enable self-service signup via the SSO_ALLOW_REGISTRATION setting at deployment time.