Set up portal sign-in

Pick which sign-in methods appear on your feedback portal. Password is on by default; add magic link, social OAuth, or your own OpenID Connect provider as you need them.

Configure everything at Admin → Settings → Security → Authentication, then switch to the Portal tab. The Team tab on the same page controls how your team members sign in. The two surfaces are independent, so changing one never locks the other out.

Anonymous voting

Visitors can vote on feedback without creating an account. Anonymous voting is enabled by default; the toggle lives at Admin → Settings → Security → Authentication → Portal tab. It applies to both the portal and the embeddable widget.

When a visitor casts their first anonymous vote, a browser session is created transparently. Their vote registers instantly with no sign-in prompt. If they later create an account, their existing anonymous votes are linked over automatically.

Anonymous sign-in is rate-limited to 50 new anonymous sessions per IP per hour. Once a visitor has a session, casting or un-casting votes doesn't count against the limit.

To require accounts for voting, toggle Anonymous Voting off. Existing anonymous votes still count toward totals.

Sign-in methods

Password

Email + password sign-in.

• Default: On
• Password requirements: 8 to 128 characters
• Reset flow: Users request a reset link by email

Magic link

One-click sign-in link sent by email.

• Default: Off
• Requires: Email delivery configured (SMTP or Resend). The toggle stays locked off until email is set up.

When both Password and Magic link are enabled, users can switch between methods on the sign-in form. See magic-link sign-in for details.

OAuth providers

Quackback ships with 10 built-in social providers. Configure each one once and enable it for the Portal, Team, or both. Credentials are stored encrypted in the database; no environment variables to set.

A provider's toggle stays locked off until you've saved its Client ID and Client Secret. See OAuth setup for the per-provider walkthrough.

Custom OIDC

Bring your own OpenID Connect identity provider. Configure the discovery URL (or authorization and token URLs manually), then enable the toggle.

• Default: Off
• Availability: Plans with the Custom OIDC feature. Lower tiers see a tier-lock badge on the toggle.

For full team-wide SSO with verified domains, enforcement, and JIT provisioning, use Single sign-on instead.

Enable or disable methods

1. Go to Admin → Settings → Security → Authentication and switch to the Portal tab.
2. Toggle each method on or off. Changes save automatically.

The UI keeps at least one method enabled. When only one is on, its toggle is disabled. OAuth provider tiles show a small lock icon with a tooltip; password, magic link, and Custom OIDC just grey out the switch.

When all methods are disabled

The Authentication tab refuses to disable the last enabled method, but if you've edited the configuration file or the database directly and turned every portal sign-in method off, the portal degrades gracefully:

• The Log in and Sign up buttons are hidden from the public portal header. Clicking them would open a dialog with no usable path forward, so they're suppressed.
• Team members can still sign in by visiting /admin/login directly (or /admin, which redirects). The Team tab is independent from the Portal tab, so disabling portal auth never locks admins out.
• Portal users on a verified SSO domain still see the Log in / Sign up buttons. The portal email dispatcher routes matching addresses into the SSO flow even when no other method is enabled. You can run an "SSO-only portal" by turning off every other portal method while keeping Single sign-on configured for your domain.

Access control

Next steps

• Team Members - Manage your team and their access
• Magic link sign-in - Passwordless email sign-in
• OAuth providers - Per-provider setup walkthroughs
• Single sign-on - Team-wide SSO with verified domains