Authentication
Quackback has two sign-in surfaces: one for the customers who submit feedback, one for the team that manages it. Each has its own methods and its own settings page.
Two audiences
| Audience | Who they are | Where you configure it |
|---|---|---|
| Portal users | Customers who submit and vote on feedback | Admin → Settings → Security → Authentication → Portal tab |
| Team members | Admins and members who manage feedback | Admin → Settings → Security → Authentication → Team tab |
A team member can also use the public portal like any other user.
Sign-in methods
| Method | Portal users | Team members |
|---|---|---|
| Password | Yes (on by default) | Yes (on by default) |
| Magic link | Optional (off by default) | Yes (on by default) |
| OAuth social | 10 providers (Apple, Discord, Facebook, GitHub, GitLab, Google, LinkedIn, Microsoft, Reddit, Twitter / X) | Same 10 providers - GitHub and Google on by default |
| Custom OIDC (portal button) | One OIDC button on the portal sign-in form, tier-gated | Use full team SSO instead |
| Single sign-on | Routes via verified-domain dispatch | Verified domains, optional enforcement, JIT provisioning |
Each method is a toggle. Turn on the combination that fits your users. At least one method always stays enabled per surface.
Team security
The Security page adds protections specific to the team:
- Two-factor authentication: TOTP codes on top of a password, optionally required workspace-wide.
- Single sign-on: connect an OIDC provider, verify your domains, and require SSO so company emails can only sign in through your IdP.
- Recovery codes: break-glass sign-in when SSO is unavailable.
- Audit log: an append-only record of every security-sensitive change.
Sign-in hardening
Quackback rate-limits password and magic-link sign-in attempts per IP and email address, tracks devices, and emails the account owner the first time an account signs in from a new device. The new-device email is on by default and configurable on the Team tab.
Sessions
- Sessions last 7 days and refresh every 24 hours on activity.
- Signing out invalidates the session immediately.
- Sessions are stored in PostgreSQL and expired ones are cleaned up automatically.
Roles
| Role | Capabilities |
|---|---|
| User | Submit, vote, and comment on the public portal. |
| Member | Everything a user can do, plus access the admin dashboard and manage feedback. |
| Admin | Everything a member can do, plus workspace settings, team management, and integrations. |
See Roles & permissions for the full breakdown.
Next steps
- Set up magic-link sign-in: passwordless email sign-in
- Set up OAuth providers: social login
- Set up single sign-on: enterprise SSO with domain enforcement
- Configure team security: 2FA and the audit log