Authentication
Rivano supports three authentication methods: OAuth social login, OIDC single sign-on, and API keys. Dashboard sessions use httpOnly cookies with CSRF protection. Programmatic access uses API keys.
OAuth login (Google / GitHub)
The default sign-in flow redirects to Google or GitHub, exchanges the authorization code for an access token, and creates a session cookie. No password is stored in Rivano.
- Navigate to
app.rivano.aiand click Sign in with Google or Sign in with GitHub. - Authorize the OAuth app in your provider.
- Rivano creates or updates your user record, then issues a session cookie.
Linking a second provider to an existing account: go to Settings → Profile and click Link account under the provider you want to add.
OIDC single sign-on
Enterprise teams can configure an OIDC provider (Rivano uses Zitadel internally) so that all team members sign in through your identity provider.
Setup
- Go to Settings → SSO in the dashboard.
- Enter your OIDC issuer URL, client ID, and client secret.
- Add
https://app.rivano.ai/auth/callbackas an allowed redirect URI in your identity provider. - Click Test connection to validate the configuration.
- Click Enable SSO. Existing sessions remain valid until they expire.
Once SSO is enabled, new sign-ins are routed through your identity provider. OAuth login is disabled for members of the tenant — owners can bypass SSO from the Settings page if needed.
Role mapping
Rivano maps incoming OIDC claims to internal roles using the rivano_role claim. Set this claim in your identity provider to owner, admin, or member. If the claim is absent, new users default to member.
API keys
API keys authenticate programmatic access to the Rivano REST API and SDK. Keys are prefixed with rv_.
Scopes
| Scope | What it grants |
|---|---|
api | Full read/write access to all control plane resources |
agent | Read-only access to agent configurations and traces |
ingest | Write-only access to ingest trace data |
Use ingest-scoped keys for your data pipeline. Use agent-scoped keys for read-only automation. Use api-scoped keys only for admin scripts where full access is required.
Creating a key
# Via the Rivano CLI
rivano keys create --name "ci-pipeline" --scope ingest
# Output includes the key string — it is only shown once
# Key: rv_ingest_abc123...Or go to Settings → API Keys in the dashboard and click + New Key.
The key string is only returned at creation time. If you lose it, delete the key and create a new one. Rivano never stores the plaintext key.
Using a key
Pass the key in the Authorization header:
curl https://api.rivano.ai/api/agents \
-H "Authorization: Bearer rv_api_..."Key rotation
- Create a new key with the same scope.
- Update your environment variables or secrets manager to use the new key.
- Verify the new key works.
- Delete the old key from Settings → API Keys.
Rotate keys immediately if you suspect exposure. Deleted keys are invalidated within seconds.
Session management
Dashboard sessions use httpOnly, SameSite=Strict cookies. Sessions expire after 7 days of inactivity. CSRF tokens are validated on all mutating requests.
Token refresh
Sessions refresh automatically on activity. If a session expires, the dashboard redirects to the sign-in page. There is no explicit refresh-token endpoint — re-authenticate to get a new session.
Sign out
Click your avatar in the top-right corner and select Sign out. This invalidates the server-side session and clears the cookie. Signing out of one browser does not invalidate sessions in other browsers.
Related
- Dashboard — Settings → API Keys and SSO walkthrough
- RBAC — Role and permission model
- SSO Setup Guide — Step-by-step OIDC configuration
- API Keys Reference — Key management endpoints