Default authentication flow
- Users sign in with their corporate email or configured SSO provider.
- Secure session tokens are issued for dashboard and API key management access.
- Sessions automatically expire; reauthentication is required after inactivity or explicit logout.
Single Sign-On (SSO)
- Supported protocols: SAML 2.0 and OIDC.
- How to enable: Contact your Avra Sales Representative or Forward Deployed Engineer (FDE) with your IdP metadata. We’ll provision an SSO connection and coordinate testing before enabling for production.
- Requirements: At least one break-glass admin using email/password + MFA in case the IdP is unavailable.
API access
API keys are scoped to workspaces and can be rotated without impacting dashboard sessions. Each key is mapped to the user who created it for auditability.Session security
- We allow users to setup multi-factor authentication (MFA) for enhanced security.
- Risk-based controls automatically sign out sessions from unrecognized devices.
- You can revoke active sessions in the dashboard under Access & Security → Active Sessions.