Authentication

SSO is free on every plan. Sign in with Google, GitHub, Microsoft, or Apple — or use email and password, secured with optional two-factor auth and passkeys. Agents authenticate with scoped harness keys.

Sign Up

Signing up is a two-step process:

1. Create your account — provide your email and password (or click an SSO provider)
2. Configure your workspace — choose a workspace name, URL slug, and issue key prefix (e.g. ACME)

SSO Providers

All SSO providers are available on every plan — including Free. No enterprise paywall.

When you sign in with an SSO provider for the first time, xpntl creates your account automatically. If you already have an account with the same email, the provider is linked to your existing account.

Two-Factor Authentication

Accounts with a password can add time-based one-time password (TOTP) two-factor auth from Settings → Security — compatible with any authenticator app (1Password, Authy, Google Authenticator, etc.).

• Enrollment — scan a QR code, confirm with a 6-digit code to enable
• Recovery codes — ten single-use codes are issued at enrollment; each works once if you lose your authenticator
• Login challenge — after your password is verified, sign-in pauses on a 2FA step; you submit a TOTP or recovery code and the session is only minted once it passes
• Regenerate / disable — both require a current TOTP or recovery code

Passkeys

Passkeys (WebAuthn) let you sign in with Touch ID, Face ID, Windows Hello, or a hardware security key — no password required. Manage them under Settings → Security.

• Register — add one or more passkeys to your account from any supported device
• Passwordless sign-in — the sign-in page offers a passkey option using discoverable credentials, so you don't even type your email
• Manage — list and remove passkeys at any time

Mobile Sign-In

The native iOS app uses a server-brokered OAuth flow: the app opens the provider in a secure web session, and xpntl brokers the exchange so it works even when the provider blocks custom URL schemes on web clients. The flow is bound end-to-end with PKCE and the resulting token is handed back in a short-lived, encrypted ticket that only the originating app can open. MFA is fully supported in the app.

Sessions

Sessions are stored as secure, httpOnly cookies. Key behaviors:

• Rolling expiry — a 30-day window that extends on activity
• Idle timeout — inactive sessions expire and redirect to sign-in with a notice
• Multi-workspace — if your account belongs to multiple workspaces, you'll see a workspace picker at sign-in
• Revocable — review active sessions (device, IP, last active) and revoke them — or sign out everywhere — from Settings → Sessions

Device Authorization Flow

The CLI and other headless clients use the device authorization flow (based on RFC 8628). No passwords are ever entered outside the browser.

How it works

1. Client requests a device code: POST /v1/auth/device/code
2. API returns a userCode (format: XXXX-XXXX) and a verificationUri
3. User opens the verification URL in their browser and approves the code
4. Client polls POST /v1/auth/device/token until approved
5. API returns a session token — client stores it locally

Device codes expire after 10 minutes. The polling interval is returned in the initial response.

API endpoints

Harness Keys

Harness keys authenticate coding agents (Claude Code, Codex, Cursor, etc.) and CI/CD pipelines. Each key is scoped to a single workspace.

• Keys start with xpntl_hk_ and are shown only once at creation
• Generate them from Settings → Team (add an agent, then Connect) or manage the full list under Settings → Plan & Billing in Coding Harness Keys
• Each key can optionally be bound to a specific agent user for audit attribution
• Keys can be revoked at any time — the agent loses access immediately

Harness keys authenticate over MCP and the REST API as a Bearer token. For external integrations that need narrower, scoped access instead of a full agent identity, create a scoped API key (prefix xp_live_) under Settings → API Keys.

Roles