Start typing to search the documentation.

to navigate · to open

Documentation

Authentication

Overview of WRNexus authentication methods — password, magic link, OAuth, and MFA options.

WRNexus supports multiple authentication methods out of the box. You can enable as many as you need per workspace.

Email + password

The default method. Passwords are hashed with Argon2id and never stored in plaintext. We enforce a minimum entropy requirement and block passwords found in known breach databases.

Request a one-time sign-in link sent to your email. The link is valid for 15 minutes and can only be used once. Ideal for users who prefer not to manage passwords.

To use magic links, click “Email me a link” on the login page instead of entering your password.

OAuth providers

WRNexus supports social login via:

  • Google — any Google account, including Google Workspace accounts.
  • GitHub — OAuth app linked to your GitHub account.

OAuth logins are automatically linked to an existing WRNexus account if the same email address is already registered.

Multi-factor authentication (MFA)

We recommend enabling at least one MFA method on all accounts.

TOTP (Time-based One-Time Password)

Works with any TOTP-compatible authenticator app (Google Authenticator, Authy, 1Password, etc.):

  1. Go to Account → Security → MFA.
  2. Click Set up authenticator app.
  3. Scan the QR code with your authenticator.
  4. Enter the 6-digit code to confirm.
  5. Save your recovery codes somewhere safe.

WebAuthn / passkeys

Register a hardware security key (YubiKey, etc.) or a platform authenticator (Touch ID, Face ID, Windows Hello):

  1. Go to Account → Security → MFA.
  2. Click Add passkey.
  3. Follow the browser prompt to register your device.

Recovery codes

If you lose access to your MFA device, use one of the 10 recovery codes generated during MFA setup. Each code can only be used once. Regenerate them at any time from Account → Security.

Session management

  • Sessions last 14 days of inactivity, with a hard cap of 90 days.
  • All active sessions are visible under Account → Security → Active sessions.
  • You can revoke any session individually or sign out everywhere.

Security best practices

  • Enable MFA on all accounts, especially those with admin access.
  • Rotate API keys regularly.
  • Review the audit log in Account → Security → Audit log periodically.

Edit this page on GitHub