Skip to content

Authentication

Quackback splits authentication into two concerns: who's allowed in and how they sign in. Both live on Admin → Settings → Security → Authentication, which has three tabs:

TabControlsDoc
Portal accessVisibility, allowed domains, email invites, allowed segments, widget sign-inControl portal access and sign-in
Team accessTeam-side 2FA and the SSO summaryConfigure team security
Sign-in providersPassword, magic link, social OAuth, Custom OIDC — per-surface togglesSign-in providers

Two audiences

AudienceWho they are
Portal usersCustomers who submit and vote on feedback.
Team membersAdmins and members who manage feedback.

A team member can also use the public portal like any other user.

Portal access channels

A private portal admits visitors through these channels, evaluated in order:

ChannelWho it lets inRequires
TeamAdmins and membersReal authenticated session
Allowed domainAnyone whose verified email matches a listed domainEmail verified
Email inviteA specific person you invitedEmail verified
Allowed segmentAny member of a permitted segmentEmail verified
Widget sign-inA visitor signed into your embedded widgetVerified-identity widget + admin opt-in

See Control portal access for the full setup walkthrough.

Sign-in methods

MethodPortal usersTeam members
PasswordYes (on by default)Yes (on by default)
Magic linkOptional (off by default)Yes (on by default)
OAuth social10 providers (Apple, Discord, Facebook, GitHub, GitLab, Google, LinkedIn, Microsoft, Reddit, Twitter / X)Same 10 providers - GitHub and Google on by default
Custom OIDC (portal button)One OIDC button on the portal sign-in form, tier-gatedUse full team SSO instead
Single sign-onRoutes via verified-domain dispatchVerified domains, optional enforcement, JIT provisioning

Each method is a toggle. Turn on the combination that fits your users. At least one method always stays enabled per surface.

Team security

The Security page adds protections specific to the team:

  • Two-factor authentication: TOTP codes on top of a password, optionally required workspace-wide.
  • Single sign-on: connect an OIDC provider, verify your domains, and require SSO so company emails can only sign in through your IdP.
  • Recovery codes: break-glass sign-in when SSO is unavailable.
  • Audit log: an append-only record of every security-sensitive change.

Sign-in hardening

Quackback rate-limits password and magic-link sign-in attempts per IP and email address, tracks devices, and emails the account owner the first time an account signs in from a new device. The new-device email is on by default and configurable on the Team tab.

Sessions

  • Sessions last 7 days and refresh every 24 hours on activity.
  • Signing out invalidates the session immediately.
  • Sessions are stored in PostgreSQL and expired ones are cleaned up automatically.

Roles

RoleCapabilities
UserSubmit, vote, and comment on the public portal.
MemberEverything a user can do, plus access the admin dashboard and manage feedback.
AdminEverything a member can do, plus workspace settings, team management, and integrations.

See Roles & permissions for the full breakdown.

Next steps