DocsAuthentication
How users and services authenticate with the Bivariant platform — OIDC-based login, access tokens, session management, and service account authentication.
Authentication on the platform is handled through OpenID Connect (OIDC), using Zitadel as the identity provider. This provides secure, standards-based authentication for both human users and automated services.
Authentication methods
Email and password
Users can register and sign in with an email address and password:
- Sign up — create an account with email and password. The platform provisions the account in Zitadel and creates the initial organization.
- Sign in — authenticate with email and password. On success, the platform issues an access token and a refresh token.
OIDC / SSO
For enterprise environments, the platform supports external identity providers through OIDC:
- Google Workspace
- Microsoft Entra ID (Azure AD)
- Any OIDC-compliant provider
Users authenticate with their existing corporate identity and are mapped to a platform account.
Service account authentication
Service accounts (used by apps and agents) authenticate using machine-to-machine tokens issued by Zitadel. These tokens are managed automatically by the platform — you do not need to handle service account authentication manually.
Access tokens
After authentication, the platform issues:
| Token | Purpose | Lifetime |
|---|---|---|
| Access token | Authenticates API requests. Included in the Authorization header. | Short-lived (typically 1 hour) |
| Refresh token | Used to obtain new access tokens without re-authenticating. | Long-lived (configurable) |
Using access tokens
Include the access token in API requests:
Authorization: Bearer {access_token}Refreshing tokens
When an access token expires, use the refresh token to obtain a new one:
POST /auth/token
{
"refreshToken": "{refresh_token}"
}Token validation
The platform validates tokens on every request:
- Verify the token signature
- Check token expiration
- Resolve the account identity
- Load organization membership and role
Session management
The platform manages user sessions with:
- Session tokens — track active sessions across devices
- Logout — invalidates the session and tokens
- Token revocation — individual tokens can be revoked without affecting other sessions
Email verification
During signup, the platform can verify email addresses:
- Check email — verify whether an email is already registered
- Email verification — send a verification link to confirm ownership
Related concepts
- Roles and Permissions — what authenticated users can do
- API Keys — alternative authentication for programmatic access
- Organizations and Spaces — the tenant context for authenticated users
Identity and Access Management
The platform's IAM system provides authentication, role-based access control, API keys, and service accounts for secure multi-tenant operations.
Roles and Permissions
How role-based access control (RBAC) works in Bivariant — built-in roles, custom roles, permission format, and scope hierarchy.