Authentication

Quackback supports multiple sign-in methods: email and password, passwordless email codes (OTP), and OAuth providers. Choose the combination that fits your users.

Authentication Flows

Quackback has two distinct authentication systems for different audiences:

Audience	Who	Settings Location
Portal Users	Customers who submit feedback	Admin → Settings → Portal Authentication
Team Members	Employees who manage feedback	Admin → Settings → Security

Portal Users

Regular users who submit and vote on feedback:

Method	Description	Default
Password	Email and password sign-in	Enabled
Email OTP	6-digit code sent to email	Disabled
OAuth	10 social providers (GitHub, Google, Apple, Discord, etc.)	Per-provider
Custom OIDC	Enterprise SSO (Okta, Auth0, Keycloak, etc.)	Disabled

Configure in: Admin → Settings → Portal Authentication

Team Members

Admins and staff who manage feedback in the admin dashboard:

Method	Description
Password	Email and password sign-in
Email OTP	6-digit code sent to email
OAuth	10 social providers (GitHub, Google, Apple, Discord, etc.)
Custom OIDC	Enterprise SSO (Okta, Auth0, Keycloak, etc.)

Configure in: Admin → Settings → Security

Quick Setup

Minimal Configuration

# Required
SECRET_KEY="your-32-char-secret"  # openssl rand -base64 32
BASE_URL="https://feedback.yourcompany.com"

With just these settings:

Password sign-in works for all users
Email OTP is available if enabled (codes print to console without email configured)

With Email Delivery

# SMTP
EMAIL_SMTP_HOST="smtp.sendgrid.net"
EMAIL_SMTP_PORT="587"
EMAIL_SMTP_USER="apikey"
EMAIL_SMTP_PASS="your-api-key"
EMAIL_FROM="feedback@yourcompany.com"

Quackback supports 10 built-in social providers plus custom OIDC for enterprise identity. All providers are configured through the admin dashboard - enter your Client ID and Client Secret, then toggle the provider on.

See Set up OAuth providers for detailed setup instructions for each provider, and Custom OIDC for enterprise identity providers.

Sessions

Session Duration

Default: 7 days
Refreshed every 24 hours on activity
Invalidated on logout

Session Storage

Sessions are stored in PostgreSQL:

session table for active sessions
Automatic cleanup of expired sessions

Roles & Permissions

Portal User

Submit feedback
Vote on posts
Comment on posts
Manage notifications

Team Member

All portal user permissions
Access admin dashboard
Manage feedback
Change post statuses

Admin

All member permissions
Workspace settings
Team management
Integration configuration

Security Features

CSRF Protection

Better Auth provides automatic CSRF protection using trusted origin validation. The application dynamically trusts origins based on the request host.

OTP Settings

OTP code length: 6 digits
OTP expiration: 10 minutes
Magic link expiration: 7 days (used for team member invitations)

Rate limiting for authentication is not currently implemented at the application level. The resend cooldown (60 seconds) is enforced client-side only. Consider using a reverse proxy (nginx, Cloudflare) for rate limiting in production.

Customization

Portal Authentication

Control what sign-in methods are available to portal users (customers):

Go to Admin → Settings → Portal Authentication
Toggle methods on/off (Password, Email OTP, social providers, Custom OIDC)

See Portal Authentication for details.

Team Authentication

Control what sign-in methods are available to team members (employees):

Go to Admin → Settings → Security
Toggle methods on/off (Password, Email OTP, social providers, Custom OIDC)

See Security for details.

Troubleshooting

"Invalid session" errors

Clear browser cookies
Try incognito mode
Check BASE_URL matches your domain

OTP not received

Check spam folder
Verify email configuration
Check console for OTP in development

OAuth redirect errors

Verify callback URL matches exactly
Check client ID and secret
Ensure provider is properly configured

Next steps

Email OTP - Email code setup
OAuth - Social login configuration
Custom OIDC - Enterprise SSO setup