Auth & Security

Authentication

Auth methods.

Overview

Zof Console authentication uses Better Auth with support for corporate SSO (SAML/OIDC), OAuth providers (Google, GitHub, Microsoft), and email one-time passcodes. Sessions are organization-scoped; switching tenants requires explicit re-authentication.

The CLI uses a device authorization flow for interactive login and accepts ZOF_API_KEY for non-interactive CI runners. API keys inherit RBAC from the creating user unless further scoped.

Who should read this

  • QA engineers, SREs, platform teams, and developers operating Zof Console and APIs.

When to use this workflow

  • Onboarding new team members to Zof terminology and workflows
  • Authoring internal runbooks aligned with Console labels
  • Designing CI/CD or webhook integrations against documented behavior

Step-by-step procedure

Enable SSO for organization

Admin Center → Security → Identity → Configure SAML/OIDC metadata from your IdP.

Map IdP groups to Zof roles (Admin, QA Lead, Engineer, Viewer).

Test login with a pilot group before enforcing SSO-only policy.

Configure allowed OAuth providers

Restrict social login to approved providers if SSO is not mandatory.

Disable unused providers to reduce account sprawl.

CLI authentication

Developers: zof auth login opens browser for SSO or OTP.

CI: export ZOF_API_KEY from vault; never pass keys on command line in logs.

Key concepts

Session token
HttpOnly cookie bound to organization tenant; expires per session policy.
API key
Long-lived Bearer token for automation; rotatable and auditable in Admin Center.
Device flow
CLI prompts for code verification in browser without storing password in terminal history.

Best practices

  • Enforce SSO for all production organization members
  • Rotate API keys quarterly; revoke immediately on exposure suspicion
  • Use separate IdP app registrations per environment if required by policy

API request with Bearer token

curl https://api.zof.ai/v1/projects \
  -H "Authorization: Bearer ${ZOF_API_KEY}" \
  -H "Content-Type: application/json"

Was this page helpful?

Authentication | Zof AI Documentation